commit 21a59cba7fb4dfb56d6a00b1b069debf46711bb8 Author: deflax Date: Sat May 18 05:03:38 2024 +0300 import from rtg diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c423400 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +.DS_Store + +kubespray/ +config diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..7c98d49 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,26 @@ +stages: + - terraforming + +staging: + stage: terraforming + variables: + TF_STATE_NAME: staging + TF_CACHE_KEY: staging + TF_ROOT: terraform/staging + trigger: + include: terraform/staging/.gitlab-ci.yml + rules: + - changes: + - terraform/staging/* + +testbed: + stage: terraforming + variables: + TF_STATE_NAME: testbed + TF_CACHE_KEY: testbed + TF_ROOT: terraform/testbed + trigger: + include: terraform/testbed/.gitlab-ci.yml + rules: + - changes: + - terraform/testbed/* diff --git a/README.md b/README.md new file mode 100644 index 0000000..0fdc063 --- /dev/null +++ b/README.md @@ -0,0 +1,20 @@ + +# Kubernetes Cluster + +Application cluster installer based on + +- kubespray +- k8x + +# Start from clusteradmin provisioning host + +./init.sh - setup kubespray based on kube-inventory so we can manage a k8s cluster with it +# Start from master1 + +./setup-apps.sh - post install system apps like ingress, registry and monitoring to make the cluster usable + +./setup-scripts.sh - setup additional helper scrips + +./setup-env.sh - create new namespace and setup additional keypair, service accounts, rbac, limits (and optional wildcard ssl certificate) + +./attach-private-registry - setup a secret for a external private registry diff --git a/attach-private-registry.sh b/attach-private-registry.sh new file mode 100755 index 0000000..491932e --- /dev/null +++ b/attach-private-registry.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +echo "" +echo "... ] Attaching private Docker registry [ ..." +echo "" + +if [ -z "$1" ]; then + echo "] Usage: ./attach_private_registry.sh " + exit 2 +fi +REG_NAME="$1" + +echo -n "] Target secret namespace: " +read NSPACE +if [ -z "$NSPACE" ]; then + echo "] No namespace" + exit 1 +fi + +echo -n "] Enter Docker registry user: " +read REGISTRY_USER + +echo -n "] Enter Docker registry password (token): " +read REGISTRY_PASS + +echo -n "] Enter Docker registry email: " +read REGISTRY_EMAIL + +echo -n "] Enter Docker registry url (empty for docker hub): " +read REGISTRY_URL +if [ -z "$REGISTRY_URL" ]; then + CONFIG_URL="--docker-server=https://index.docker.io/v2/" +else + CONFIG_URL="--docker-server=https://${REGISTRY_URL}/v2/" +fi + +SECRET_NAME="registry-${NSPACE}-${REG_NAME}" +SECRET_CONFIG="${CONFIG_URL} --docker-username=${REGISTRY_USER} --docker-password=${REGISTRY_PASS} --docker-email=${REGISTRY_EMAIL}" +CMD="/usr/local/bin/k -n ${NSPACE} create secret docker-registry ${SECRET_NAME} ${SECRET_CONFIG}" + +echo "" +echo "Executing command: ${CMD}" +echo -n "Is that okay [y/n]? " +read answer +if [ "$answer" != "${answer#[Yy]}" ]; then + ${CMD} +fi \ No newline at end of file diff --git a/config.dist b/config.dist new file mode 100644 index 0000000..07d217a --- /dev/null +++ b/config.dist @@ -0,0 +1,39 @@ +#GLOBAL +NTP_SERVER=10.15.8.80 +CERT_MODE=False +CLUSTER_DOMAIN=k8test.example.com +CLUSTER_SUPP_ADDR="[10.15.0.2, kube.k8test.example.com]" +EXT_LB_DOMAIN=kube.example.com +EXT_LB_ADDRESS=10.15.0.2 +EXT_LB_PORT=16444 + +#INGRESS-NGINX +MAXMIND_LIC="4rD1ICHnexjd6KaY" + +#CERT-MANAGER +ADMIN_EMAIL=admin@example.com +CLOUDFLARE_API_KEY=000 + +#STORAGE +CEPH_ADMIN_KEY="" +CEPH_USER_KEY="" +CEPH_MONITOR_1="10.15.8.91" +CEPH_MONITOR_2="10.15.8.92" +CEPH_MONITOR_3="10.15.8.93" + +#REGISTRY +REGISTRY_URL="registry.develop.example.com" +REGISTRY_USER=deployer +REGISTRY_PASS=pass123 +REGISTRY_INTERNAL=False + +#MONITORING +ZABBIX_SERVER="10.15.0.2" +ZABBIX_PSK=asdqwe123 +ZABBIX_PSK_ID=PSK +GRAFANA_SMTP_HOST=email-smtp.eu-west-1.amazonaws.com +GRAFANA_SMTP_USER=user +GRAFANA_SMTP_PASSWORD="asdqwe123" +GRAFANA_SMTP_FROM_ADDRESS="no-reply@example.com" +LOKI_STORAGE_SIZE=128Gi +LOKI_RETENTION=long diff --git a/init.sh b/init.sh new file mode 100755 index 0000000..4e2599c --- /dev/null +++ b/init.sh @@ -0,0 +1,48 @@ +#!/bin/bash + +# k8x v2 + +KUBESPRAY_TAG="release-2.16" + +if [ -f config ]; then + echo "config file FOUND :)" + source config +else + echo "config file is missing." + exit 1 +fi + +echo "] Install packages to cluster admin node ..." +apt update +apt install git rsync python3-pip -y + +echo "] Clone Kubespray ..." +git clone https://github.com/kubernetes-sigs/kubespray.git + +echo "] Sync our recipies ..." +rsync -av inventory/ kubespray/inventory/kube/ + +echo "- setup external load balancer variable from config..." +sed -i "s#var_lb_domain#${EXT_LB_DOMAIN}#g" "kubespray/inventory/kube/group_vars/all/all.yml" +sed -i "s#var_lb_address#${EXT_LB_ADDRESS}#g" "kubespray/inventory/kube/group_vars/all/all.yml" +sed -i "s#var_lb_port#${EXT_LB_PORT}#g" "kubespray/inventory/kube/group_vars/all/all.yml" + +echo "- setup additional addresses to kube ssl cert" +sed -i "s#var_cluster_supp_addr#${CLUSTER_SUPP_ADDR}#g" "kubespray/inventory/kube/group_vars/k8s_cluster/k8s-cluster.yml" + +echo "- setup ceph variables from config ..." +sed -i "s#var_ceph_monitors#${CEPH_MONITOR_1}:6789,${CEPH_MONITOR_2}:6789,${CEPH_MONITOR_3}:6789#g" "kubespray/inventory/kube/group_vars/k8s_cluster/addons.yml" +sed -i "s#var_ceph_admin_key#${CEPH_ADMIN_KEY}#g" "kubespray/inventory/kube/group_vars/k8s_cluster/addons.yml" +sed -i "s#var_ceph_user_key#${CEPH_USER_KEY}#g" "kubespray/inventory/kube/group_vars/k8s_cluster/addons.yml" + +echo "] Switch to $KUBESPRAY_TAG branch ..." +cd kubespray/ +git checkout $KUBESPRAY_TAG +cd .. + +echo "] Patch $KUBESPRAY_TAG ..." +rsync -av patches/${KUBESPRAY_TAG}/ kubespray/ + +echo "] Execute python requierments.txt ..." +cd kubespray/ +pip3 install -r requirements.txt diff --git a/inventory/group_vars/all/all.yml b/inventory/group_vars/all/all.yml new file mode 100644 index 0000000..67d3455 --- /dev/null +++ b/inventory/group_vars/all/all.yml @@ -0,0 +1,118 @@ +--- +## Directory where etcd data stored +etcd_data_dir: /var/lib/etcd + +## Experimental kubeadm etcd deployment mode. Available only for new deployment +etcd_kubeadm_enabled: false + +## Directory where the binaries will be installed +bin_dir: /usr/local/bin + +## The access_ip variable is used to define how other nodes should access +## the node. This is used in flannel to allow other flannel nodes to see +## this node for example. The access_ip is really useful AWS and Google +## environments where the nodes are accessed remotely by the "public" ip, +## but don't know about that address themselves. +# access_ip: 1.1.1.1 + +## External LB example config +#apiserver_loadbalancer_domain_name: "var_lb_domain" +#loadbalancer_apiserver: +# address: var_lb_address +# port: var_lb_port + +## Internal loadbalancers for apiservers +loadbalancer_apiserver_localhost: true +# valid options are "nginx" or "haproxy" +# loadbalancer_apiserver_type: nginx # valid values "nginx" or "haproxy" +loadbalancer_apiserver_type: "haproxy" + +## If the cilium is going to be used in strict mode, we can use the +## localhost connection and not use the external LB. If this parameter is +## not specified, the first node to connect to kubeapi will be used. +use_localhost_as_kubeapi_loadbalancer: true + +## Local loadbalancer should use this port +## And must be set port 6443 +loadbalancer_apiserver_port: 6443 + +## If loadbalancer_apiserver_healthcheck_port variable defined, enables proxy liveness check for nginx. +loadbalancer_apiserver_healthcheck_port: 8081 + +### OTHER OPTIONAL VARIABLES + +## Upstream dns servers +upstream_dns_servers: + - 8.8.8.8 + - 1.1.1.1 + +## There are some changes specific to the cloud providers +## for instance we need to encapsulate packets with some network plugins +## If set the possible values are either 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', or 'external' +## When openstack is used make sure to source in the openstack credentials +## like you would do when using openstack-client before starting the playbook. +# cloud_provider: + +## When cloud_provider is set to 'external', you can set the cloud controller to deploy +## Supported cloud controllers are: 'openstack' and 'vsphere' +## When openstack or vsphere are used make sure to source in the required fields +# external_cloud_provider: + +## Set these proxy values in order to update package manager and docker daemon to use proxies +# http_proxy: "" +# https_proxy: "" + +## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy +# no_proxy: "" + +## Some problems may occur when downloading files over https proxy due to ansible bug +## https://github.com/ansible/ansible/issues/32750. Set this variable to False to disable +## SSL validation of get_url module. Note that kubespray will still be performing checksum validation. +# download_validate_certs: False + +## If you need exclude all cluster nodes from proxy and other resources, add other resources here. +# additional_no_proxy: "" + +## If you need to disable proxying of os package repositories but are still behind an http_proxy set +## skip_http_proxy_on_os_packages to true +## This will cause kubespray not to set proxy environment in /etc/yum.conf for centos and in /etc/apt/apt.conf for debian/ubuntu +## Special information for debian/ubuntu - you have to set the no_proxy variable, then apt package will install from your source of wish +# skip_http_proxy_on_os_packages: false + +## Since workers are included in the no_proxy variable by default, docker engine will be restarted on all nodes (all +## pods will restart) when adding or removing workers. To override this behaviour by only including master nodes in the +## no_proxy variable, set below to true: +no_proxy_exclude_workers: false + +## Certificate Management +## This setting determines whether certs are generated via scripts. +## Chose 'none' if you provide your own certificates. +## Option is "script", "none" +# cert_management: script + +## Set to true to allow pre-checks to fail and continue deployment +# ignore_assert_errors: false + +## The read-only port for the Kubelet to serve on with no authentication/authorization. Uncomment to enable. +# kube_read_only_port: 10255 + +## Set true to download and cache container +# download_container: true + +## Deploy container engine +# Set false if you want to deploy container engine manually. +# deploy_container_engine: true + +## Red Hat Enterprise Linux subscription registration +## Add either RHEL subscription Username/Password or Organization ID/Activation Key combination +## Update RHEL subscription purpose usage, role and SLA if necessary +# rh_subscription_username: "" +# rh_subscription_password: "" +# rh_subscription_org_id: "" +# rh_subscription_activation_key: "" +# rh_subscription_usage: "Development" +# rh_subscription_role: "Red Hat Enterprise Server" +# rh_subscription_sla: "Self-Support" + +## Check if access_ip responds to ping. Set false if your firewall blocks ICMP. +# ping_access_ip: true diff --git a/inventory/group_vars/all/aws.yml b/inventory/group_vars/all/aws.yml new file mode 100644 index 0000000..dab674e --- /dev/null +++ b/inventory/group_vars/all/aws.yml @@ -0,0 +1,9 @@ +## To use AWS EBS CSI Driver to provision volumes, uncomment the first value +## and configure the parameters below +# aws_ebs_csi_enabled: true +# aws_ebs_csi_enable_volume_scheduling: true +# aws_ebs_csi_enable_volume_snapshot: false +# aws_ebs_csi_enable_volume_resizing: false +# aws_ebs_csi_controller_replicas: 1 +# aws_ebs_csi_plugin_image_tag: latest +# aws_ebs_csi_extra_volume_tags: "Owner=owner,Team=team,Environment=environment' diff --git a/inventory/group_vars/all/azure.yml b/inventory/group_vars/all/azure.yml new file mode 100644 index 0000000..176b0f1 --- /dev/null +++ b/inventory/group_vars/all/azure.yml @@ -0,0 +1,40 @@ +## When azure is used, you need to also set the following variables. +## see docs/azure.md for details on how to get these values + +# azure_cloud: +# azure_tenant_id: +# azure_subscription_id: +# azure_aad_client_id: +# azure_aad_client_secret: +# azure_resource_group: +# azure_location: +# azure_subnet_name: +# azure_security_group_name: +# azure_security_group_resource_group: +# azure_vnet_name: +# azure_vnet_resource_group: +# azure_route_table_name: +# azure_route_table_resource_group: +# supported values are 'standard' or 'vmss' +# azure_vmtype: standard + +## Azure Disk CSI credentials and parameters +## see docs/azure-csi.md for details on how to get these values + +# azure_csi_tenant_id: +# azure_csi_subscription_id: +# azure_csi_aad_client_id: +# azure_csi_aad_client_secret: +# azure_csi_location: +# azure_csi_resource_group: +# azure_csi_vnet_name: +# azure_csi_vnet_resource_group: +# azure_csi_subnet_name: +# azure_csi_security_group_name: +# azure_csi_use_instance_metadata: +# azure_csi_tags: "Owner=owner,Team=team,Environment=environment' + +## To enable Azure Disk CSI, uncomment below +# azure_csi_enabled: true +# azure_csi_controller_replicas: 1 +# azure_csi_plugin_image_tag: latest diff --git a/inventory/group_vars/all/containerd.yml b/inventory/group_vars/all/containerd.yml new file mode 100644 index 0000000..82c4953 --- /dev/null +++ b/inventory/group_vars/all/containerd.yml @@ -0,0 +1,34 @@ +--- +# Please see roles/container-engine/containerd/defaults/main.yml for more configuration options + +# containerd_storage_dir: "/var/lib/containerd" +# containerd_state_dir: "/run/containerd" +# containerd_oom_score: 0 + +# containerd_default_runtime: "runc" +# containerd_snapshotter: "native" + +# containerd_runtimes: +# - name: runc +# type: "io.containerd.runc.v2" +# engine: "" +# root: "" +# Example for Kata Containers as additional runtime: +# - name: kata +# type: "io.containerd.kata.v2" +# engine: "" +# root: "" + +# containerd_grpc_max_recv_message_size: 16777216 +# containerd_grpc_max_send_message_size: 16777216 + +# containerd_debug_level: "info" + +# containerd_metrics_address: "" + +# containerd_metrics_grpc_histogram: false + +# containerd_registries: +# "docker.io": "https://registry-1.docker.io" + +# containerd_max_container_log_line_size: -1 diff --git a/inventory/group_vars/all/coreos.yml b/inventory/group_vars/all/coreos.yml new file mode 100644 index 0000000..22c2166 --- /dev/null +++ b/inventory/group_vars/all/coreos.yml @@ -0,0 +1,2 @@ +## Does coreos need auto upgrade, default is true +# coreos_auto_upgrade: true diff --git a/inventory/group_vars/all/docker.yml b/inventory/group_vars/all/docker.yml new file mode 100644 index 0000000..4e968c3 --- /dev/null +++ b/inventory/group_vars/all/docker.yml @@ -0,0 +1,59 @@ +--- +## Uncomment this if you want to force overlay/overlay2 as docker storage driver +## Please note that overlay2 is only supported on newer kernels +# docker_storage_options: -s overlay2 + +## Enable docker_container_storage_setup, it will configure devicemapper driver on Centos7 or RedHat7. +docker_container_storage_setup: false + +## It must be define a disk path for docker_container_storage_setup_devs. +## Otherwise docker-storage-setup will be executed incorrectly. +# docker_container_storage_setup_devs: /dev/vdb + +## Uncomment this if you want to change the Docker Cgroup driver (native.cgroupdriver) +## Valid options are systemd or cgroupfs, default is systemd +# docker_cgroup_driver: systemd + +## Only set this if you have more than 3 nameservers: +## If true Kubespray will only use the first 3, otherwise it will fail +docker_dns_servers_strict: false + +# Path used to store Docker data +docker_daemon_graph: "/var/lib/docker" + +## Used to set docker daemon iptables options to true +docker_iptables_enabled: "false" + +# Docker log options +# Rotate container stderr/stdout logs at 50m and keep last 5 +docker_log_opts: "--log-opt max-size=50m --log-opt max-file=5" + +# define docker bin_dir +docker_bin_dir: "/usr/bin" + +# keep docker packages after installation; speeds up repeated ansible provisioning runs when '1' +# kubespray deletes the docker package on each run, so caching the package makes sense +docker_rpm_keepcache: 1 + +## An obvious use case is allowing insecure-registry access to self hosted registries. +## Can be ipaddress and domain_name. +## example define 172.19.16.11 or mirror.registry.io +# docker_insecure_registries: +# - mirror.registry.io +# - 172.19.16.11 + +## Add other registry,example China registry mirror. +# docker_registry_mirrors: +# - https://registry.docker-cn.com +# - https://mirror.aliyuncs.com + +## If non-empty will override default system MountFlags value. +## This option takes a mount propagation flag: shared, slave +## or private, which control whether mounts in the file system +## namespace set up for docker will receive or propagate mounts +## and unmounts. Leave empty for system default +# docker_mount_flags: + +## A string of extra options to pass to the docker daemon. +## This string should be exactly as you wish it to appear. +# docker_options: "" diff --git a/inventory/group_vars/all/gcp.yml b/inventory/group_vars/all/gcp.yml new file mode 100644 index 0000000..49eb5c0 --- /dev/null +++ b/inventory/group_vars/all/gcp.yml @@ -0,0 +1,10 @@ +## GCP compute Persistent Disk CSI Driver credentials and parameters +## See docs/gcp-pd-csi.md for information about the implementation + +## Specify the path to the file containing the service account credentials +# gcp_pd_csi_sa_cred_file: "/my/safe/credentials/directory/cloud-sa.json" + +## To enable GCP Persistent Disk CSI driver, uncomment below +# gcp_pd_csi_enabled: true +# gcp_pd_csi_controller_replicas: 1 +# gcp_pd_csi_driver_image_tag: "v0.7.0-gke.0" diff --git a/inventory/group_vars/all/oci.yml b/inventory/group_vars/all/oci.yml new file mode 100644 index 0000000..541d0e6 --- /dev/null +++ b/inventory/group_vars/all/oci.yml @@ -0,0 +1,28 @@ +## When Oracle Cloud Infrastructure is used, set these variables +# oci_private_key: +# oci_region_id: +# oci_tenancy_id: +# oci_user_id: +# oci_user_fingerprint: +# oci_compartment_id: +# oci_vnc_id: +# oci_subnet1_id: +# oci_subnet2_id: +## Override these default/optional behaviors if you wish +# oci_security_list_management: All +## If you would like the controller to manage specific lists per subnet. This is a mapping of subnet ocids to security list ocids. Below are examples. +# oci_security_lists: +# ocid1.subnet.oc1.phx.aaaaaaaasa53hlkzk6nzksqfccegk2qnkxmphkblst3riclzs4rhwg7rg57q: ocid1.securitylist.oc1.iad.aaaaaaaaqti5jsfvyw6ejahh7r4okb2xbtuiuguswhs746mtahn72r7adt7q +# ocid1.subnet.oc1.phx.aaaaaaaahuxrgvs65iwdz7ekwgg3l5gyah7ww5klkwjcso74u3e4i64hvtvq: ocid1.securitylist.oc1.iad.aaaaaaaaqti5jsfvyw6ejahh7r4okb2xbtuiuguswhs746mtahn72r7adt7q +## If oci_use_instance_principals is true, you do not need to set the region, tenancy, user, key, passphrase, or fingerprint +# oci_use_instance_principals: false +# oci_cloud_controller_version: 0.6.0 +## If you would like to control OCI query rate limits for the controller +# oci_rate_limit: +# rate_limit_qps_read: +# rate_limit_qps_write: +# rate_limit_bucket_read: +# rate_limit_bucket_write: +## Other optional variables +# oci_cloud_controller_pull_source: (default iad.ocir.io/oracle/cloud-provider-oci) +# oci_cloud_controller_pull_secret: (name of pull secret to use if you define your own mirror above) diff --git a/inventory/group_vars/all/offline.yml b/inventory/group_vars/all/offline.yml new file mode 100644 index 0000000..3bdefcd --- /dev/null +++ b/inventory/group_vars/all/offline.yml @@ -0,0 +1,79 @@ +--- +## Global Offline settings +### Private Container Image Registry +# registry_host: "myprivateregisry.com" +# files_repo: "http://myprivatehttpd" +### If using CentOS, RedHat, AlmaLinux or Fedora +# yum_repo: "http://myinternalyumrepo" +### If using Debian +# debian_repo: "http://myinternaldebianrepo" +### If using Ubuntu +# ubuntu_repo: "http://myinternalubunturepo" + +## Container Registry overrides +# kube_image_repo: "{{ registry_host }}" +# gcr_image_repo: "{{ registry_host }}" +# docker_image_repo: "{{ registry_host }}" +# quay_image_repo: "{{ registry_host }}" + +## Kubernetes components +# kubeadm_download_url: "{{ files_repo }}/kubernetes/{{ kube_version }}/kubeadm" +# kubectl_download_url: "{{ files_repo }}/kubernetes/{{ kube_version }}/kubectl" +# kubelet_download_url: "{{ files_repo }}/kubernetes/{{ kube_version }}/kubelet" + +## CNI Plugins +# cni_download_url: "{{ files_repo }}/kubernetes/cni/cni-plugins-linux-{{ image_arch }}-{{ cni_version }}.tgz" + +## cri-tools +# crictl_download_url: "{{ files_repo }}/kubernetes/cri-tools/crictl-{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz" + +## [Optional] etcd: only if you **DON'T** use etcd_deployment=host +# etcd_download_url: "{{ files_repo }}/kubernetes/etcd/etcd-{{ etcd_version }}-linux-amd64.tar.gz" + +# [Optional] Calico: If using Calico network plugin +# calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}" +# [Optional] Calico with kdd: If using Calico network plugin with kdd datastore +# calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_version }}.tar.gz" + +# [Optional] helm: only if you set helm_enabled: true +# helm_download_url: "{{ files_repo }}/helm-{{ helm_version }}-linux-{{ image_arch }}.tar.gz" + +# [Optional] crun: only if you set crun_enabled: true +# crun_download_url: "{{ files_repo }}/containers/crun/releases/download/{{ crun_version }}/crun-{{ crun_version }}-linux-{{ image_arch }}" + +# [Optional] kata: only if you set kata_containers_enabled: true +# kata_containers_download_url: "{{ files_repo }}/kata-containers/runtime/releases/download/{{ kata_containers_version }}/kata-static-{{ kata_containers_version }}-{{ ansible_architecture }}.tar.xz" + +## CentOS/Redhat/AlmaLinux +### For EL7, base and extras repo must be available, for EL8, baseos and appstream +### By default we enable those repo automatically +# rhel_enable_repos: false +### Docker / Containerd +# docker_rh_repo_base_url: "{{ yum_repo }}/docker-ce/$releasever/$basearch" +# docker_rh_repo_gpgkey: "{{ yum_repo }}/docker-ce/gpg" + +## Fedora +### Docker +# docker_fedora_repo_base_url: "{{ yum_repo }}/docker-ce/{{ ansible_distribution_major_version }}/{{ ansible_architecture }}" +# docker_fedora_repo_gpgkey: "{{ yum_repo }}/docker-ce/gpg" +### Containerd +# containerd_fedora_repo_base_url: "{{ yum_repo }}/containerd" +# containerd_fedora_repo_gpgkey: "{{ yum_repo }}/docker-ce/gpg" + +## Debian +### Docker +# docker_debian_repo_base_url: "{{ debian_repo }}/docker-ce" +# docker_debian_repo_gpgkey: "{{ debian_repo }}/docker-ce/gpg" +### Containerd +# containerd_debian_repo_base_url: "{{ ubuntu_repo }}/containerd" +# containerd_debian_repo_gpgkey: "{{ ubuntu_repo }}/containerd/gpg" +# containerd_debian_repo_repokey: 'YOURREPOKEY' + +## Ubuntu +### Docker +# docker_ubuntu_repo_base_url: "{{ ubuntu_repo }}/docker-ce" +# docker_ubuntu_repo_gpgkey: "{{ ubuntu_repo }}/docker-ce/gpg" +### Containerd +# containerd_ubuntu_repo_base_url: "{{ ubuntu_repo }}/containerd" +# containerd_ubuntu_repo_gpgkey: "{{ ubuntu_repo }}/containerd/gpg" +# containerd_ubuntu_repo_repokey: 'YOURREPOKEY' diff --git a/inventory/group_vars/all/openstack.yml b/inventory/group_vars/all/openstack.yml new file mode 100644 index 0000000..7835664 --- /dev/null +++ b/inventory/group_vars/all/openstack.yml @@ -0,0 +1,49 @@ +## When OpenStack is used, Cinder version can be explicitly specified if autodetection fails (Fixed in 1.9: https://github.com/kubernetes/kubernetes/issues/50461) +# openstack_blockstorage_version: "v1/v2/auto (default)" +# openstack_blockstorage_ignore_volume_az: yes +## When OpenStack is used, if LBaaSv2 is available you can enable it with the following 2 variables. +# openstack_lbaas_enabled: True +# openstack_lbaas_subnet_id: "Neutron subnet ID (not network ID) to create LBaaS VIP" +## To enable automatic floating ip provisioning, specify a subnet. +# openstack_lbaas_floating_network_id: "Neutron network ID (not subnet ID) to get floating IP from, disabled by default" +## Override default LBaaS behavior +# openstack_lbaas_use_octavia: False +# openstack_lbaas_method: "ROUND_ROBIN" +# openstack_lbaas_provider: "haproxy" +# openstack_lbaas_create_monitor: "yes" +# openstack_lbaas_monitor_delay: "1m" +# openstack_lbaas_monitor_timeout: "30s" +# openstack_lbaas_monitor_max_retries: "3" + +## Values for the external OpenStack Cloud Controller +# external_openstack_lbaas_network_id: "Neutron network ID to create LBaaS VIP" +# external_openstack_lbaas_subnet_id: "Neutron subnet ID to create LBaaS VIP" +# external_openstack_lbaas_floating_network_id: "Neutron network ID to get floating IP from" +# external_openstack_lbaas_floating_subnet_id: "Neutron subnet ID to get floating IP from" +# external_openstack_lbaas_method: "ROUND_ROBIN" +# external_openstack_lbaas_provider: "octavia" +# external_openstack_lbaas_create_monitor: false +# external_openstack_lbaas_monitor_delay: "1m" +# external_openstack_lbaas_monitor_timeout: "30s" +# external_openstack_lbaas_monitor_max_retries: "3" +# external_openstack_lbaas_manage_security_groups: false +# external_openstack_lbaas_internal_lb: false +# external_openstack_network_ipv6_disabled: false +# external_openstack_network_internal_networks: [] +# external_openstack_network_public_networks: [] +# external_openstack_metadata_search_order: "configDrive,metadataService" + +## Application credentials to authenticate against Keystone API +## Those settings will take precedence over username and password that might be set your environment +## All of them are required +# external_openstack_application_credential_name: +# external_openstack_application_credential_id: +# external_openstack_application_credential_secret: + +## The tag of the external OpenStack Cloud Controller image +# external_openstack_cloud_controller_image_tag: "latest" + +## To use Cinder CSI plugin to provision volumes set this value to true +## Make sure to source in the openstack credentials +# cinder_csi_enabled: true +# cinder_csi_controller_replicas: 1 diff --git a/inventory/group_vars/all/vsphere.yml b/inventory/group_vars/all/vsphere.yml new file mode 100644 index 0000000..e6033d4 --- /dev/null +++ b/inventory/group_vars/all/vsphere.yml @@ -0,0 +1,24 @@ +## Values for the external vSphere Cloud Provider +# external_vsphere_vcenter_ip: "myvcenter.domain.com" +# external_vsphere_vcenter_port: "443" +# external_vsphere_insecure: "true" +# external_vsphere_user: "administrator@vsphere.local" +# external_vsphere_password: "K8s_admin" +# external_vsphere_datacenter: "DATACENTER_name" +# external_vsphere_kubernetes_cluster_id: "kubernetes-cluster-id" + +## Vsphere version where located VMs +# external_vsphere_version: "6.7u3" + +## Tags for the external vSphere Cloud Provider images +# external_vsphere_cloud_controller_image_tag: "latest" +# vsphere_syncer_image_tag: "v1.0.2" +# vsphere_csi_attacher_image_tag: "v1.1.1" +# vsphere_csi_controller: "v1.0.2" +# vsphere_csi_liveness_probe_image_tag: "v1.1.0" +# vsphere_csi_provisioner_image_tag: "v1.2.2" +# vsphere_csi_resizer_tag: "v1.0.0" + +## To use vSphere CSI plugin to provision volumes set this value to true +# vsphere_csi_enabled: true +# vsphere_csi_controller_replicas: 1 diff --git a/inventory/group_vars/etcd.yml b/inventory/group_vars/etcd.yml new file mode 100644 index 0000000..6c6765e --- /dev/null +++ b/inventory/group_vars/etcd.yml @@ -0,0 +1,22 @@ +--- +## Etcd auto compaction retention for mvcc key value store in hour +# etcd_compaction_retention: 0 + +## Set level of detail for etcd exported metrics, specify 'extensive' to include histogram metrics. +# etcd_metrics: basic + +## Etcd is restricted by default to 512M on systems under 4GB RAM, 512MB is not enough for much more than testing. +## Set this if your etcd nodes have less than 4GB but you want more RAM for etcd. Set to 0 for unrestricted RAM. +# etcd_memory_limit: "512M" + +## Etcd has a default of 2G for its space quota. If you put a value in etcd_memory_limit which is less than +## etcd_quota_backend_bytes, you may encounter out of memory terminations of the etcd cluster. Please check +## etcd documentation for more information. +# etcd_quota_backend_bytes: "2147483648" + +### ETCD: disable peer client cert authentication. +# This affects ETCD_PEER_CLIENT_CERT_AUTH variable +# etcd_peer_client_auth: true + +## Settings for etcd deployment type +etcd_deployment_type: docker diff --git a/inventory/group_vars/k8s_cluster/addons.yml b/inventory/group_vars/k8s_cluster/addons.yml new file mode 100644 index 0000000..ae41734 --- /dev/null +++ b/inventory/group_vars/k8s_cluster/addons.yml @@ -0,0 +1,182 @@ +--- +# Kubernetes dashboard +# RBAC required. see docs/getting-started.md for access details. +# dashboard_enabled: false + +# Helm deployment +helm_enabled: true + +# Registry deployment +registry_enabled: false +# registry_namespace: kube-system +# registry_storage_class: "" +# registry_disk_size: "10Gi" + +# Metrics Server deployment +metrics_server_enabled: true +# metrics_server_kubelet_insecure_tls: true +# metrics_server_metric_resolution: 60s +# metrics_server_kubelet_preferred_address_types: "InternalIP" + +# Rancher Local Path Provisioner +local_path_provisioner_enabled: false +# local_path_provisioner_namespace: "local-path-storage" +# local_path_provisioner_storage_class: "local-path" +# local_path_provisioner_reclaim_policy: Delete +# local_path_provisioner_claim_root: /opt/local-path-provisioner/ +# local_path_provisioner_debug: false +# local_path_provisioner_image_repo: "rancher/local-path-provisioner" +# local_path_provisioner_image_tag: "v0.0.19" +# local_path_provisioner_helper_image_repo: "busybox" +# local_path_provisioner_helper_image_tag: "latest" + +# Local volume provisioner deployment +local_volume_provisioner_enabled: false +# local_volume_provisioner_namespace: kube-system +# local_volume_provisioner_nodelabels: +# - kubernetes.io/hostname +# - topology.kubernetes.io/region +# - topology.kubernetes.io/zone +# local_volume_provisioner_storage_classes: +# local-storage: +# host_dir: /mnt/disks +# mount_dir: /mnt/disks +# volume_mode: Filesystem +# fs_type: ext4 +# fast-disks: +# host_dir: /mnt/fast-disks +# mount_dir: /mnt/fast-disks +# block_cleaner_command: +# - "/scripts/shred.sh" +# - "2" +# volume_mode: Filesystem +# fs_type: ext4 + +# CephFS provisioner deployment +cephfs_provisioner_enabled: false +# cephfs_provisioner_namespace: "cephfs-provisioner" +# cephfs_provisioner_cluster: ceph +# cephfs_provisioner_monitors: "172.24.0.1:6789,172.24.0.2:6789,172.24.0.3:6789" +# cephfs_provisioner_admin_id: admin +# cephfs_provisioner_secret: secret +# cephfs_provisioner_storage_class: cephfs +# cephfs_provisioner_reclaim_policy: Delete +# cephfs_provisioner_claim_root: /volumes +# cephfs_provisioner_deterministic_names: true + +# RBD provisioner deployment +rbd_provisioner_enabled: true +rbd_provisioner_namespace: kube-system +rbd_provisioner_replicas: 2 +rbd_provisioner_monitors: "var_ceph_monitors" +rbd_provisioner_pool: kube +rbd_provisioner_admin_id: admin +rbd_provisioner_secret_name: ceph-secret +rbd_provisioner_secret: var_ceph_admin_key +rbd_provisioner_user_id: kube +rbd_provisioner_user_secret_name: ceph-secret-kube +rbd_provisioner_user_secret: var_ceph_user_key +rbd_provisioner_user_secret_namespace: kube-system +rbd_provisioner_fs_type: ext4 +rbd_provisioner_image_format: "2" +rbd_provisioner_image_features: layering +rbd_provisioner_storage_class: rados-block +rbd_provisioner_reclaim_policy: Delete + +# Nginx ingress controller deployment +ingress_nginx_enabled: false +# ingress_nginx_host_network: false +ingress_publish_status_address: "" +# ingress_nginx_nodeselector: +# kubernetes.io/os: "linux" +# ingress_nginx_tolerations: +# - key: "node-role.kubernetes.io/master" +# operator: "Equal" +# value: "" +# effect: "NoSchedule" +# - key: "node-role.kubernetes.io/control-plane" +# operator: "Equal" +# value: "" +# effect: "NoSchedule" +# ingress_nginx_namespace: "ingress-nginx" +# ingress_nginx_insecure_port: 80 +# ingress_nginx_secure_port: 443 +# ingress_nginx_configmap: +# map-hash-bucket-size: "128" +# ssl-protocols: "TLSv1.2 TLSv1.3" +# ingress_nginx_configmap_tcp_services: +# 9000: "default/example-go:8080" +# ingress_nginx_configmap_udp_services: +# 53: "kube-system/coredns:53" +# ingress_nginx_extra_args: +# - --default-ssl-certificate=default/foo-tls +# ingress_nginx_class: nginx + +# ambassador ingress controller deployment +ingress_ambassador_enabled: false +# ingress_ambassador_namespace: "ambassador" +# ingress_ambassador_version: "*" +# ingress_ambassador_multi_namespaces: false + +# ALB ingress controller deployment +ingress_alb_enabled: false +# alb_ingress_aws_region: "us-east-1" +# alb_ingress_restrict_scheme: "false" +# Enables logging on all outbound requests sent to the AWS API. +# If logging is desired, set to true. +# alb_ingress_aws_debug: "false" + +# Cert manager deployment +cert_manager_enabled: false +# cert_manager_namespace: "cert-manager" + +# MetalLB deployment +metallb_enabled: false +metallb_speaker_enabled: true +# metallb_ip_range: +# - "10.5.0.50-10.5.0.99" +# metallb_speaker_nodeselector: +# kubernetes.io/os: "linux" +# metallb_controller_nodeselector: +# kubernetes.io/os: "linux" +# metallb_speaker_tolerations: +# - key: "node-role.kubernetes.io/master" +# operator: "Equal" +# value: "" +# effect: "NoSchedule" +# - key: "node-role.kubernetes.io/control-plane" +# operator: "Equal" +# value: "" +# effect: "NoSchedule" +# metallb_controller_tolerations: +# - key: "node-role.kubernetes.io/master" +# operator: "Equal" +# value: "" +# effect: "NoSchedule" +# - key: "node-role.kubernetes.io/control-plane" +# operator: "Equal" +# value: "" +# effect: "NoSchedule" +# metallb_version: v0.9.6 +# metallb_protocol: "layer2" +# metallb_port: "7472" +# metallb_limits_cpu: "100m" +# metallb_limits_mem: "100Mi" +# metallb_additional_address_pools: +# kube_service_pool: +# ip_range: +# - "10.5.1.50-10.5.1.99" +# protocol: "layer2" +# auto_assign: false +# metallb_protocol: "bgp" +# metallb_peers: +# - peer_address: 192.0.2.1 +# peer_asn: 64512 +# my_asn: 4200000000 +# - peer_address: 192.0.2.2 +# peer_asn: 64513 +# my_asn: 4200000000 + +# The plugin manager for kubectl +krew_enabled: false +krew_root_dir: "/usr/local/krew" diff --git a/inventory/group_vars/k8s_cluster/k8s-cluster.yml b/inventory/group_vars/k8s_cluster/k8s-cluster.yml new file mode 100644 index 0000000..f683153 --- /dev/null +++ b/inventory/group_vars/k8s_cluster/k8s-cluster.yml @@ -0,0 +1,312 @@ +--- +# Kubernetes configuration dirs and system namespace. +# Those are where all the additional config stuff goes +# the kubernetes normally puts in /srv/kubernetes. +# This puts them in a sane location and namespace. +# Editing those values will almost surely break something. +kube_config_dir: /etc/kubernetes +kube_script_dir: "{{ bin_dir }}/kubernetes-scripts" +kube_manifest_dir: "{{ kube_config_dir }}/manifests" + +# This is where all the cert scripts and certs will be located +kube_cert_dir: "{{ kube_config_dir }}/ssl" + +# This is where all of the bearer tokens will be stored +kube_token_dir: "{{ kube_config_dir }}/tokens" + +kube_api_anonymous_auth: true + +## Change this to use another Kubernetes version, e.g. a current beta release +#kube_version: v1.20.7 +kube_version: v1.19.4 + +# Where the binaries will be downloaded. +# Note: ensure that you've enough disk space (about 1G) +local_release_dir: "/tmp/releases" +# Random shifts for retrying failed ops like pushing/downloading +retry_stagger: 5 + +# This is the group that the cert creation scripts chgrp the +# cert files to. Not really changeable... +kube_cert_group: kube-cert + +# Cluster Loglevel configuration +kube_log_level: 2 + +# Directory where credentials will be stored +credentials_dir: "{{ inventory_dir }}/credentials" + +## It is possible to activate / deactivate selected authentication methods (oidc, static token auth) +# kube_oidc_auth: false +# kube_token_auth: false + + +## Variables for OpenID Connect Configuration https://kubernetes.io/docs/admin/authentication/ +## To use OpenID you have to deploy additional an OpenID Provider (e.g Dex, Keycloak, ...) + +# kube_oidc_url: https:// ... +# kube_oidc_client_id: kubernetes +## Optional settings for OIDC +# kube_oidc_ca_file: "{{ kube_cert_dir }}/ca.pem" +# kube_oidc_username_claim: sub +# kube_oidc_username_prefix: 'oidc:' +# kube_oidc_groups_claim: groups +# kube_oidc_groups_prefix: 'oidc:' + +## Variables to control webhook authn/authz +# kube_webhook_token_auth: false +# kube_webhook_token_auth_url: https://... +# kube_webhook_token_auth_url_skip_tls_verify: false + +## For webhook authorization, authorization_modes must include Webhook +# kube_webhook_authorization: false +# kube_webhook_authorization_url: https://... +# kube_webhook_authorization_url_skip_tls_verify: false + +# Choose network plugin (cilium, calico, weave or flannel. Use cni for generic cni plugin) +# Can also be set to 'cloud', which lets the cloud provider setup appropriate routing +kube_network_plugin: calico + +# Setting multi_networking to true will install Multus: https://github.com/intel/multus-cni +kube_network_plugin_multus: false + +# Kubernetes internal network for services, unused block of space. +kube_service_addresses: 10.233.0.0/18 + +# internal network. When used, it will assign IP +# addresses from this range to individual pods. +# This network must be unused in your network infrastructure! +kube_pods_subnet: 10.233.64.0/18 + +# internal network node size allocation (optional). This is the size allocated +# to each node for pod IP address allocation. Note that the number of pods per node is +# also limited by the kubelet_max_pods variable which defaults to 110. +# +# Example: +# Up to 64 nodes and up to 254 or kubelet_max_pods (the lowest of the two) pods per node: +# - kube_pods_subnet: 10.233.64.0/18 +# - kube_network_node_prefix: 24 +# - kubelet_max_pods: 110 +# +# Example: +# Up to 128 nodes and up to 126 or kubelet_max_pods (the lowest of the two) pods per node: +# - kube_pods_subnet: 10.233.64.0/18 +# - kube_network_node_prefix: 25 +# - kubelet_max_pods: 110 +kube_network_node_prefix: 24 + +# Configure Dual Stack networking (i.e. both IPv4 and IPv6) +enable_dual_stack_networks: false + +# Kubernetes internal network for IPv6 services, unused block of space. +# This is only used if enable_dual_stack_networks is set to true +# This provides 4096 IPv6 IPs +kube_service_addresses_ipv6: fd85:ee78:d8a6:8607::1000/116 + +# Internal network. When used, it will assign IPv6 addresses from this range to individual pods. +# This network must not already be in your network infrastructure! +# This is only used if enable_dual_stack_networks is set to true. +# This provides room for 256 nodes with 254 pods per node. +kube_pods_subnet_ipv6: fd85:ee78:d8a6:8607::1:0000/112 + +# IPv6 subnet size allocated to each for pods. +# This is only used if enable_dual_stack_networks is set to true +# This provides room for 254 pods per node. +kube_network_node_prefix_ipv6: 120 + +# The port the API Server will be listening on. +kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}" +kube_apiserver_port: 6443 # (https) +# kube_apiserver_insecure_port: 8080 # (http) +# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true +kube_apiserver_insecure_port: 0 # (disabled) + +# Kube-proxy proxyMode configuration. +# Can be ipvs, iptables +kube_proxy_mode: ipvs + +# configure arp_ignore and arp_announce to avoid answering ARP queries from kube-ipvs0 interface +# must be set to true for MetalLB to work +kube_proxy_strict_arp: false + +# A string slice of values which specify the addresses to use for NodePorts. +# Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32). +# The default empty string slice ([]) means to use all local addresses. +# kube_proxy_nodeport_addresses_cidr is retained for legacy config +kube_proxy_nodeport_addresses: >- + {%- if kube_proxy_nodeport_addresses_cidr is defined -%} + [{{ kube_proxy_nodeport_addresses_cidr }}] + {%- else -%} + [] + {%- endif -%} + +# If non-empty, will use this string as identification instead of the actual hostname +# kube_override_hostname: >- +# {%- if cloud_provider is defined and cloud_provider in [ 'aws' ] -%} +# {%- else -%} +# {{ inventory_hostname }} +# {%- endif -%} + +## Encrypting Secret Data at Rest (experimental) +kube_encrypt_secret_data: false + +# DNS configuration. +# Kubernetes cluster name, also will be used as DNS domain +cluster_name: cluster.local +# Subdomains of DNS domain to be resolved via /etc/resolv.conf for hostnet pods +ndots: 2 +# Can be coredns, coredns_dual, manual or none +dns_mode: coredns +# Set manual server if using a custom cluster DNS server +# manual_dns_server: 10.x.x.x +# Enable nodelocal dns cache +enable_nodelocaldns: true +nodelocaldns_ip: 169.254.25.10 +nodelocaldns_health_port: 9254 +# nodelocaldns_external_zones: +# - zones: +# - example.com +# - example.io:1053 +# nameservers: +# - 1.1.1.1 +# - 2.2.2.2 +# cache: 5 +# - zones: +# - https://mycompany.local:4453 +# nameservers: +# - 192.168.0.53 +# cache: 0 +# Enable k8s_external plugin for CoreDNS +enable_coredns_k8s_external: false +coredns_k8s_external_zone: k8s_external.local +# Enable endpoint_pod_names option for kubernetes plugin +enable_coredns_k8s_endpoint_pod_names: false + +# Can be docker_dns, host_resolvconf or none +resolvconf_mode: docker_dns +# Deploy netchecker app to verify DNS resolve as an HTTP service +deploy_netchecker: false +# Ip address of the kubernetes skydns service +skydns_server: "{{ kube_service_addresses|ipaddr('net')|ipaddr(3)|ipaddr('address') }}" +skydns_server_secondary: "{{ kube_service_addresses|ipaddr('net')|ipaddr(4)|ipaddr('address') }}" +dns_domain: "{{ cluster_name }}" + +## Container runtime +## docker for docker, crio for cri-o and containerd for containerd. +container_manager: docker + +# Additional container runtimes +kata_containers_enabled: false + +kubeadm_certificate_key: "{{ lookup('password', credentials_dir + '/kubeadm_certificate_key.creds length=64 chars=hexdigits') | lower }}" + +# K8s image pull policy (imagePullPolicy) +k8s_image_pull_policy: IfNotPresent + +# audit log for kubernetes +kubernetes_audit: false + +# dynamic kubelet configuration +dynamic_kubelet_configuration: false + +# define kubelet config dir for dynamic kubelet +# kubelet_config_dir: +default_kubelet_config_dir: "{{ kube_config_dir }}/dynamic_kubelet_dir" +dynamic_kubelet_configuration_dir: "{{ kubelet_config_dir | default(default_kubelet_config_dir) }}" + +# pod security policy (RBAC must be enabled either by having 'RBAC' in authorization_modes or kubeadm enabled) +podsecuritypolicy_enabled: false + +# Custom PodSecurityPolicySpec for restricted policy +# podsecuritypolicy_restricted_spec: {} + +# Custom PodSecurityPolicySpec for privileged policy +# podsecuritypolicy_privileged_spec: {} + +# Make a copy of kubeconfig on the host that runs Ansible in {{ inventory_dir }}/artifacts +# kubeconfig_localhost: false +# Download kubectl onto the host that runs Ansible in {{ bin_dir }} +# kubectl_localhost: false + +# A comma separated list of levels of node allocatable enforcement to be enforced by kubelet. +# Acceptable options are 'pods', 'system-reserved', 'kube-reserved' and ''. Default is "". +# kubelet_enforce_node_allocatable: pods + +## Optionally reserve resources for OS system daemons. +# system_reserved: true +## Uncomment to override default values +# system_memory_reserved: 512Mi +# system_cpu_reserved: 500m +## Reservation for master hosts +# system_master_memory_reserved: 256Mi +# system_master_cpu_reserved: 250m + +# An alternative flexvolume plugin directory +# kubelet_flexvolumes_plugins_dir: /usr/libexec/kubernetes/kubelet-plugins/volume/exec + +## Supplementary addresses that can be added in kubernetes ssl keys. +## That can be useful for example to setup a keepalived virtual IP +# supplementary_addresses_in_ssl_keys: [10.0.0.1, 10.0.0.2, 10.0.0.3] +supplementary_addresses_in_ssl_keys: var_cluster_supp_addr + +## Running on top of openstack vms with cinder enabled may lead to unschedulable pods due to NoVolumeZoneConflict restriction in kube-scheduler. +## See https://github.com/kubernetes-sigs/kubespray/issues/2141 +## Set this variable to true to get rid of this issue +volume_cross_zone_attachment: false +## Add Persistent Volumes Storage Class for corresponding cloud provider (supported: in-tree OpenStack, Cinder CSI, +## AWS EBS CSI, Azure Disk CSI, GCP Persistent Disk CSI) +persistent_volumes_enabled: false + +## Container Engine Acceleration +## Enable container acceleration feature, for example use gpu acceleration in containers +# nvidia_accelerator_enabled: true +## Nvidia GPU driver install. Install will by done by a (init) pod running as a daemonset. +## Important: if you use Ubuntu then you should set in all.yml 'docker_storage_options: -s overlay2' +## Array with nvida_gpu_nodes, leave empty or comment if you don't want to install drivers. +## Labels and taints won't be set to nodes if they are not in the array. +# nvidia_gpu_nodes: +# - kube-gpu-001 +# nvidia_driver_version: "384.111" +## flavor can be tesla or gtx +# nvidia_gpu_flavor: gtx +## NVIDIA driver installer images. Change them if you have trouble accessing gcr.io. +# nvidia_driver_install_centos_container: atzedevries/nvidia-centos-driver-installer:2 +# nvidia_driver_install_ubuntu_container: gcr.io/google-containers/ubuntu-nvidia-driver-installer@sha256:7df76a0f0a17294e86f691c81de6bbb7c04a1b4b3d4ea4e7e2cccdc42e1f6d63 +## NVIDIA GPU device plugin image. +# nvidia_gpu_device_plugin_container: "k8s.gcr.io/nvidia-gpu-device-plugin@sha256:0842734032018be107fa2490c98156992911e3e1f2a21e059ff0105b07dd8e9e" + +## Support tls min version, Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. +# tls_min_version: "" + +## Support tls cipher suites. +# tls_cipher_suites: {} +# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA +# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 +# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA +# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 +# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 +# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA +# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA +# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA +# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA +# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 +# - TLS_ECDHE_RSA_WITH_RC4_128_SHA +# - TLS_RSA_WITH_3DES_EDE_CBC_SHA +# - TLS_RSA_WITH_AES_128_CBC_SHA +# - TLS_RSA_WITH_AES_128_CBC_SHA256 +# - TLS_RSA_WITH_AES_128_GCM_SHA256 +# - TLS_RSA_WITH_AES_256_CBC_SHA +# - TLS_RSA_WITH_AES_256_GCM_SHA384 +# - TLS_RSA_WITH_RC4_128_SHA + +## Amount of time to retain events. (default 1h0m0s) +event_ttl_duration: "1h0m0s" + +## Automatically renew K8S control plane certificates on first Monday of each month +auto_renew_certificates: false +# First Monday of each month +# auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:{{ groups['kube_control_plane'].index(inventory_hostname) }}0:00" diff --git a/inventory/group_vars/k8s_cluster/k8s-net-calico.yml b/inventory/group_vars/k8s_cluster/k8s-net-calico.yml new file mode 100644 index 0000000..1e17091 --- /dev/null +++ b/inventory/group_vars/k8s_cluster/k8s-net-calico.yml @@ -0,0 +1,102 @@ +# see roles/network_plugin/calico/defaults/main.yml + +## With calico it is possible to distributed routes with border routers of the datacenter. +## Warning : enabling router peering will disable calico's default behavior ('node mesh'). +## The subnets of each nodes will be distributed by the datacenter router +# peer_with_router: false + +# Enables Internet connectivity from containers +# nat_outgoing: true + +# Enables Calico CNI "host-local" IPAM plugin +# calico_ipam_host_local: true + +# add default ippool name +# calico_pool_name: "default-pool" + +# add default ippool blockSize (defaults kube_network_node_prefix) +# calico_pool_blocksize: 24 + +# add default ippool CIDR (must be inside kube_pods_subnet, defaults to kube_pods_subnet otherwise) +# calico_pool_cidr: 1.2.3.4/5 + +# Add default IPV6 IPPool CIDR. Must be inside kube_pods_subnet_ipv6. Defaults to kube_pods_subnet_ipv6 if not set. +# calico_pool_cidr_ipv6: fd85:ee78:d8a6:8607::1:0000/112 + +# Global as_num (/calico/bgp/v1/global/as_num) +# global_as_num: "64512" + +# If doing peering with node-assigned asn where the globas does not match your nodes, you want this +# to be true. All other cases, false. +# calico_no_global_as_num: false + +# You can set MTU value here. If left undefined or empty, it will +# not be specified in calico CNI config, so Calico will use built-in +# defaults. The value should be a number, not a string. +calico_mtu: 1410 + +# Configure the MTU to use for workload interfaces and tunnels. +# - If Wireguard is enabled, set to your network MTU - 60 +# - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50 +# - Otherwise, if IPIP is enabled, set to your network MTU - 20 +# - Otherwise, if not using any encapsulation, set to your network MTU. +# calico_veth_mtu: 1440 + +# Advertise Cluster IPs +# calico_advertise_cluster_ips: true + +# Advertise Service External IPs +# calico_advertise_service_external_ips: +# - x.x.x.x/24 +# - y.y.y.y/32 + +# Adveritse Service LoadBalancer IPs +# calico_advertise_service_loadbalancer_ips: +# - x.x.x.x/24 +# - y.y.y.y/16 + +# Choose data store type for calico: "etcd" or "kdd" (kubernetes datastore) +# calico_datastore: "kdd" + +# Choose Calico iptables backend: "Legacy", "Auto" or "NFT" +# calico_iptables_backend: "Legacy" + +# Use typha (only with kdd) +# typha_enabled: false + +# Generate TLS certs for secure typha<->calico-node communication +# typha_secure: false + +# Scaling typha: 1 replica per 100 nodes is adequate +# Number of typha replicas +# typha_replicas: 1 + +# Set max typha connections +# typha_max_connections_lower_limit: 300 + +# Set calico network backend: "bird", "vxlan" or "none" +# bird enable BGP routing, required for ipip mode. +# calico_network_backend: bird + +# IP in IP and VXLAN is mutualy exclusive modes. +# set IP in IP encapsulation mode: "Always", "CrossSubnet", "Never" +# calico_ipip_mode: 'Always' + +# set VXLAN encapsulation mode: "Always", "CrossSubnet", "Never" +# calico_vxlan_mode: 'Never' + +# set VXLAN port and VNI +# calico_vxlan_vni: 4096 +# calico_vxlan_port: 4789 + +# If you want to use non default IP_AUTODETECTION_METHOD for calico node set this option to one of: +# * can-reach=DESTINATION +# * interface=INTERFACE-REGEX +# see https://docs.projectcalico.org/reference/node/configuration +# calico_ip_auto_method: "interface=eth.*" +# Choose the iptables insert mode for Calico: "Insert" or "Append". +# calico_felix_chaininsertmode: Insert + +# If you want use the default route interface when you use multiple interface with dynamique route (iproute2) +# see https://docs.projectcalico.org/reference/node/configuration : FELIX_DEVICEROUTESOURCEADDRESS +# calico_use_default_route_src_ipaddr: false diff --git a/inventory/group_vars/k8s_cluster/k8s-net-canal.yml b/inventory/group_vars/k8s_cluster/k8s-net-canal.yml new file mode 100644 index 0000000..60b9da7 --- /dev/null +++ b/inventory/group_vars/k8s_cluster/k8s-net-canal.yml @@ -0,0 +1,10 @@ +# see roles/network_plugin/canal/defaults/main.yml + +# The interface used by canal for host <-> host communication. +# If left blank, then the interface is choosing using the node's +# default route. +# canal_iface: "" + +# Whether or not to masquerade traffic to destinations not within +# the pod network. +# canal_masquerade: "true" diff --git a/inventory/group_vars/k8s_cluster/k8s-net-cilium.yml b/inventory/group_vars/k8s_cluster/k8s-net-cilium.yml new file mode 100644 index 0000000..95730eb --- /dev/null +++ b/inventory/group_vars/k8s_cluster/k8s-net-cilium.yml @@ -0,0 +1 @@ +# see roles/network_plugin/cilium/defaults/main.yml diff --git a/inventory/group_vars/k8s_cluster/k8s-net-flannel.yml b/inventory/group_vars/k8s_cluster/k8s-net-flannel.yml new file mode 100644 index 0000000..a42c5b3 --- /dev/null +++ b/inventory/group_vars/k8s_cluster/k8s-net-flannel.yml @@ -0,0 +1,18 @@ +# see roles/network_plugin/flannel/defaults/main.yml + +## interface that should be used for flannel operations +## This is actually an inventory cluster-level item +# flannel_interface: + +## Select interface that should be used for flannel operations by regexp on Name or IP +## This is actually an inventory cluster-level item +## example: select interface with ip from net 10.0.0.0/23 +## single quote and escape backslashes +# flannel_interface_regexp: '10\\.0\\.[0-2]\\.\\d{1,3}' + +# You can choose what type of flannel backend to use: 'vxlan' or 'host-gw' +# for experimental backend +# please refer to flannel's docs : https://github.com/coreos/flannel/blob/master/README.md +# flannel_backend_type: "vxlan" +# flannel_vxlan_vni: 1 +# flannel_vxlan_port: 8472 diff --git a/inventory/group_vars/k8s_cluster/k8s-net-kube-router.yml b/inventory/group_vars/k8s_cluster/k8s-net-kube-router.yml new file mode 100644 index 0000000..3832801 --- /dev/null +++ b/inventory/group_vars/k8s_cluster/k8s-net-kube-router.yml @@ -0,0 +1,61 @@ +# See roles/network_plugin/kube-router//defaults/main.yml + +# Enables Pod Networking -- Advertises and learns the routes to Pods via iBGP +# kube_router_run_router: true + +# Enables Network Policy -- sets up iptables to provide ingress firewall for pods +# kube_router_run_firewall: true + +# Enables Service Proxy -- sets up IPVS for Kubernetes Services +# see docs/kube-router.md "Caveats" section +# kube_router_run_service_proxy: false + +# Add Cluster IP of the service to the RIB so that it gets advertises to the BGP peers. +# kube_router_advertise_cluster_ip: false + +# Add External IP of service to the RIB so that it gets advertised to the BGP peers. +# kube_router_advertise_external_ip: false + +# Add LoadbBalancer IP of service status as set by the LB provider to the RIB so that it gets advertised to the BGP peers. +# kube_router_advertise_loadbalancer_ip: false + +# Adjust manifest of kube-router daemonset template with DSR needed changes +# kube_router_enable_dsr: false + +# Array of arbitrary extra arguments to kube-router, see +# https://github.com/cloudnativelabs/kube-router/blob/master/docs/user-guide.md +# kube_router_extra_args: [] + +# ASN numbers of the BGP peer to which cluster nodes will advertise cluster ip and node's pod cidr. +# kube_router_peer_router_asns: ~ + +# The ip address of the external router to which all nodes will peer and advertise the cluster ip and pod cidr's. +# kube_router_peer_router_ips: ~ + +# The remote port of the external BGP to which all nodes will peer. If not set, default BGP port (179) will be used. +# kube_router_peer_router_ports: ~ + +# Setups node CNI to allow hairpin mode, requires node reboots, see +# https://github.com/cloudnativelabs/kube-router/blob/master/docs/user-guide.md#hairpin-mode +# kube_router_support_hairpin_mode: false + +# Select DNS Policy ClusterFirstWithHostNet, ClusterFirst, etc. +# kube_router_dns_policy: ClusterFirstWithHostNet + +# Array of annotations for master +# kube_router_annotations_master: [] + +# Array of annotations for every node +# kube_router_annotations_node: [] + +# Array of common annotations for every node +# kube_router_annotations_all: [] + +# Enables scraping kube-router metrics with Prometheus +# kube_router_enable_metrics: false + +# Path to serve Prometheus metrics on +# kube_router_metrics_path: /metrics + +# Prometheus metrics port to use +# kube_router_metrics_port: 9255 diff --git a/inventory/group_vars/k8s_cluster/k8s-net-macvlan.yml b/inventory/group_vars/k8s_cluster/k8s-net-macvlan.yml new file mode 100644 index 0000000..d2534e7 --- /dev/null +++ b/inventory/group_vars/k8s_cluster/k8s-net-macvlan.yml @@ -0,0 +1,6 @@ +--- +# private interface, on a l2-network +macvlan_interface: "eth1" + +# Enable nat in default gateway network interface +enable_nat_default_gateway: true diff --git a/inventory/group_vars/k8s_cluster/k8s-net-weave.yml b/inventory/group_vars/k8s_cluster/k8s-net-weave.yml new file mode 100644 index 0000000..ed6c3c0 --- /dev/null +++ b/inventory/group_vars/k8s_cluster/k8s-net-weave.yml @@ -0,0 +1,61 @@ +# see roles/network_plugin/weave/defaults/main.yml + +# Weave's network password for encryption, if null then no network encryption. +# weave_password: ~ + +# If set to 1, disable checking for new Weave Net versions (default is blank, +# i.e. check is enabled) +# weave_checkpoint_disable: false + +# Soft limit on the number of connections between peers. Defaults to 100. +# weave_conn_limit: 100 + +# Weave Net defaults to enabling hairpin on the bridge side of the veth pair +# for containers attached. If you need to disable hairpin, e.g. your kernel is +# one of those that can panic if hairpin is enabled, then you can disable it by +# setting `HAIRPIN_MODE=false`. +# weave_hairpin_mode: true + +# The range of IP addresses used by Weave Net and the subnet they are placed in +# (CIDR format; default 10.32.0.0/12) +# weave_ipalloc_range: "{{ kube_pods_subnet }}" + +# Set to 0 to disable Network Policy Controller (default is on) +# weave_expect_npc: "{{ enable_network_policy }}" + +# List of addresses of peers in the Kubernetes cluster (default is to fetch the +# list from the api-server) +# weave_kube_peers: ~ + +# Set the initialization mode of the IP Address Manager (defaults to consensus +# amongst the KUBE_PEERS) +# weave_ipalloc_init: ~ + +# Set the IP address used as a gateway from the Weave network to the host +# network - this is useful if you are configuring the addon as a static pod. +# weave_expose_ip: ~ + +# Address and port that the Weave Net daemon will serve Prometheus-style +# metrics on (defaults to 0.0.0.0:6782) +# weave_metrics_addr: ~ + +# Address and port that the Weave Net daemon will serve status requests on +# (defaults to disabled) +# weave_status_addr: ~ + +# Weave Net defaults to 1376 bytes, but you can set a smaller size if your +# underlying network has a tighter limit, or set a larger size for better +# performance if your network supports jumbo frames (e.g. 8916) +# weave_mtu: 1376 + +# Set to 1 to preserve the client source IP address when accessing Service +# annotated with `service.spec.externalTrafficPolicy=Local`. The feature works +# only with Weave IPAM (default). +# weave_no_masq_local: true + +# set to nft to use nftables backend for iptables (default is iptables) +# weave_iptables_backend: iptables + +# Extra variables that passing to launch.sh, useful for enabling seed mode, see +# https://www.weave.works/docs/net/latest/tasks/ipam/ipam/ +# weave_extra_args: ~ diff --git a/inventory/hosts-dev.yaml b/inventory/hosts-dev.yaml new file mode 100644 index 0000000..821d626 --- /dev/null +++ b/inventory/hosts-dev.yaml @@ -0,0 +1,81 @@ +all: + hosts: + devmaster01: + ansible_host: 10.15.8.1 + ip: 10.15.8.1 + access_ip: 10.15.8.1 + devmaster02: + ansible_host: 10.15.8.2 + ip: 10.15.8.2 + access_ip: 10.15.8.2 + devmaster03: + ansible_host: 10.15.8.3 + ip: 10.15.8.3 + access_ip: 10.15.8.3 + worker01: + ansible_host: 10.15.8.21 + ip: 10.15.8.21 + access_ip: 10.15.8.21 + worker02: + ansible_host: 10.15.8.22 + ip: 10.15.8.22 + access_ip: 10.15.8.22 + worker03: + ansible_host: 10.15.8.23 + ip: 10.15.8.23 + access_ip: 10.15.8.23 + worker04: + ansible_host: 10.15.8.24 + ip: 10.15.8.24 + access_ip: 10.15.8.24 + worker05: + ansible_host: 10.15.8.25 + ip: 10.15.8.25 + access_ip: 10.15.8.25 + worker06: + ansible_host: 10.15.8.26 + ip: 10.15.8.26 + access_ip: 10.15.8.26 + worker07: + ansible_host: 10.15.8.27 + ip: 10.15.8.27 + access_ip: 10.15.8.27 + worker08: + ansible_host: 10.15.8.28 + ip: 10.15.8.28 + access_ip: 10.15.8.28 + worker09: + ansible_host: 10.15.8.29 + ip: 10.15.8.29 + access_ip: 10.15.8.29 + children: + kube_control_plane: + hosts: + devmaster01: + devmaster02: + devmaster03: + kube_node: + hosts: + devmaster01: + devmaster02: + devmaster03: + worker01: + worker02: + worker03: + worker04: + worker05: + worker06: + worker07: + worker08: + worker09: + etcd: + hosts: + devmaster01: + devmaster02: + devmaster03: + k8s_cluster: + children: + kube_control_plane: + kube_node: + calico_rr: + hosts: {} diff --git a/inventory/hosts-dom1.yaml b/inventory/hosts-dom1.yaml new file mode 100644 index 0000000..3a70886 --- /dev/null +++ b/inventory/hosts-dom1.yaml @@ -0,0 +1,61 @@ +all: + hosts: + dom1master01: + ansible_host: 10.0.1.101 + ip: 10.0.1.101 + access_ip: 10.0.1.101 + dom1master02: + ansible_host: 10.0.1.102 + ip: 10.0.1.102 + access_ip: 10.0.1.102 + dom1master03: + ansible_host: 10.0.1.103 + ip: 10.0.1.103 + access_ip: 10.0.1.103 + kvmcu01: + ansible_host: 10.0.1.121 + ip: 10.0.1.121 + access_ip: 10.0.1.121 + kvmcu02: + ansible_host: 10.0.1.122 + ip: 10.0.1.122 + access_ip: 10.0.1.122 + kvmcu03: + ansible_host: 10.0.1.123 + ip: 10.0.1.123 + access_ip: 10.0.1.123 + kvmcu04: + ansible_host: 10.0.1.124 + ip: 10.0.1.124 + access_ip: 10.0.1.124 + kvmcu05: + ansible_host: 10.0.1.125 + ip: 10.0.1.125 + access_ip: 10.0.1.125 + children: + kube_control_plane: + hosts: + dom1master01: + dom1master02: + dom1master03: + kube_node: + hosts: + dom1master01: + dom1master02: + dom1master03: + kvmcu01: + kvmcu02: + kvmcu03: + kvmcu04: + kvmcu05: + etcd: + hosts: + dom1master01: + dom1master02: + dom1master03: + k8s_cluster: + children: + kube_control_plane: + kube_node: + calico_rr: + hosts: {} diff --git a/inventory/inventory.ini b/inventory/inventory.ini new file mode 100644 index 0000000..99a6309 --- /dev/null +++ b/inventory/inventory.ini @@ -0,0 +1,38 @@ +# ## Configure 'ip' variable to bind kubernetes services on a +# ## different ip than the default iface +# ## We should set etcd_member_name for etcd cluster. The node that is not a etcd member do not need to set the value, or can set the empty string value. +[all] +# node1 ansible_host=95.54.0.12 # ip=10.3.0.1 etcd_member_name=etcd1 +# node2 ansible_host=95.54.0.13 # ip=10.3.0.2 etcd_member_name=etcd2 +# node3 ansible_host=95.54.0.14 # ip=10.3.0.3 etcd_member_name=etcd3 +# node4 ansible_host=95.54.0.15 # ip=10.3.0.4 etcd_member_name=etcd4 +# node5 ansible_host=95.54.0.16 # ip=10.3.0.5 etcd_member_name=etcd5 +# node6 ansible_host=95.54.0.17 # ip=10.3.0.6 etcd_member_name=etcd6 + +# ## configure a bastion host if your nodes are not directly reachable +# [bastion] +# bastion ansible_host=x.x.x.x ansible_user=some_user + +[kube_control_plane] +# node1 +# node2 +# node3 + +[etcd] +# node1 +# node2 +# node3 + +[kube_node] +# node2 +# node3 +# node4 +# node5 +# node6 + +[calico_rr] + +[k8s_cluster:children] +kube_control_plane +kube_node +calico_rr diff --git a/patches/release-2.16/roles/container-engine/containerd-common/vars/debian.yml b/patches/release-2.16/roles/container-engine/containerd-common/vars/debian.yml new file mode 100644 index 0000000..53a5454 --- /dev/null +++ b/patches/release-2.16/roles/container-engine/containerd-common/vars/debian.yml @@ -0,0 +1,9 @@ +--- +containerd_versioned_pkg: + 'latest': "{{ containerd_package }}" + '1.3.7': "{{ containerd_package }}=1.3.7-1" + '1.3.9': "{{ containerd_package }}=1.3.9-1" + '1.4.3': "{{ containerd_package }}=1.4.3-1" + '1.4.4': "{{ containerd_package }}=1.4.3-1" + 'stable': "{{ containerd_package }}=1.4.3-1" + 'edge': "{{ containerd_package }}=1.4.4-1" diff --git a/scripts/create-sa.sh b/scripts/create-sa.sh new file mode 100755 index 0000000..a841f7b --- /dev/null +++ b/scripts/create-sa.sh @@ -0,0 +1,92 @@ +#!/bin/bash +set -e +set -o pipefail + +# Add user to k8s using service account, no RBAC (must create RBAC after this script) +if [[ -z "$1" ]] || [[ -z "$2" ]]; then + echo "usage: $0 " + exit 1 +fi + +SERVICE_ACCOUNT_NAME=$1 +NAMESPACE="$2" +KUBECFG_FILE_NAME="/tmp/kube/k8s-${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-conf" +TARGET_FOLDER="/tmp/kube" + +create_target_folder() { + echo -n "Creating target directory to hold files in ${TARGET_FOLDER}..." + mkdir -p "${TARGET_FOLDER}" + printf "done" +} + +create_service_account() { + echo -e "\\nCreating a service account: ${SERVICE_ACCOUNT_NAME} on namespace: ${NAMESPACE}" + kubectl create sa "${SERVICE_ACCOUNT_NAME}" --namespace "${NAMESPACE}" +} + +get_secret_name_from_service_account() { + echo -e "\\nGetting secret of service account ${SERVICE_ACCOUNT_NAME}-${NAMESPACE}" + SECRET_NAME=$(kubectl get sa "${SERVICE_ACCOUNT_NAME}" --namespace "${NAMESPACE}" -o json | jq -r '.secrets[].name') + echo "Secret name: ${SECRET_NAME}" +} + +extract_ca_crt_from_secret() { + echo -e -n "\\nExtracting ca.crt from secret..." + kubectl get secret "${SECRET_NAME}" --namespace "${NAMESPACE}" -o json | jq \ + -r '.data["ca.crt"]' | base64 -d > "${TARGET_FOLDER}/ca.crt" + printf "done" +} + +get_user_token_from_secret() { + echo -e -n "\\nGetting user token from secret..." + USER_TOKEN=$(kubectl get secret "${SECRET_NAME}" \ + --namespace "${NAMESPACE}" -o json | jq -r '.data["token"]' | base64 -d) + printf "done" +} + +set_kube_config_values() { + context=$(kubectl config current-context) + echo -e "\\nSetting current context to: $context" + + CLUSTER_NAME=$(kubectl config get-contexts "$context" | awk '{print $3}' | tail -n 1) + echo "Cluster name: ${CLUSTER_NAME}" + + ENDPOINT=$(kubectl config view \ + -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}") + echo "Endpoint: ${ENDPOINT}" + + # Set up the config + echo -e "\\nPreparing k8s-${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-conf" + echo -n "Setting a cluster entry in kubeconfig..." + kubectl config set-cluster "${CLUSTER_NAME}" \ + --kubeconfig="${KUBECFG_FILE_NAME}" \ + --server="${ENDPOINT}" \ + --certificate-authority="${TARGET_FOLDER}/ca.crt" \ + --embed-certs=true + + echo -n "Setting token credentials entry in kubeconfig..." + kubectl config set-credentials \ + "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \ + --kubeconfig="${KUBECFG_FILE_NAME}" \ + --token="${USER_TOKEN}" + + echo -n "Setting a context entry in kubeconfig..." + kubectl config set-context \ + "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \ + --kubeconfig="${KUBECFG_FILE_NAME}" \ + --cluster="${CLUSTER_NAME}" \ + --user="${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \ + --namespace="${NAMESPACE}" + + echo -n "Setting the current-context in the kubeconfig file..." + kubectl config use-context "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \ + --kubeconfig="${KUBECFG_FILE_NAME}" +} + +create_target_folder +create_service_account +sleep 10 +get_secret_name_from_service_account +extract_ca_crt_from_secret +get_user_token_from_secret +set_kube_config_values \ No newline at end of file diff --git a/scripts/health.sh b/scripts/health.sh new file mode 100755 index 0000000..fafff9f --- /dev/null +++ b/scripts/health.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +kubectl cluster-info + +#printf "\n [ etcd cluster health: ]\n" +#/usr/local/bin/etcdctl --endpoints="https://${ETCD_1_IP}:2379,https://${ETCD_2_IP}:2379,https://${ETCD_3_IP}:2379" --cert ${CA_DIR}/etcd.crt --key ${CA_DIR}/etcd.key --cacert ${CA_DIR}/etcd-ca.crt endpoint status + +printf "\n [ kubernetes components health: ]\n" +/usr/local/bin/kubectl get componentstatuses + +printf "\n [ kubernetes nodes: ]\n" +kubectl get nodes -o wide + +printf "\n [ helm releases: ]\n" +helm ls --all-namespaces + +if [ "$1" = "all" ]; then + printf "\n [ kubernetes deployments: ]\n" + /usr/local/bin/kubectl get deployments --all-namespaces + printf "\n [ kubernetes services: ]\n" + /usr/local/bin/kubectl get services --all-namespaces -o wide + printf "\n [ kubernetes ingresses: ]\n" + /usr/local/bin/kubectl get ingresses.v1.networking.k8s.io --all-namespaces + printf "\n [ kubernates storage claims: ]\n" + /usr/local/bin/kubectl get pvc --all-namespaces + printf "\n [ kubernetes pods: ]\n" + /usr/local/bin/kubectl get pods --all-namespaces -o wide +fi + +if [ ! -z "$1" ]; then + printf "\n [ $1 status: ]\n" + /usr/local/bin/kubectl get $1 --all-namespaces -o wide +fi \ No newline at end of file diff --git a/scripts/k.sh b/scripts/k.sh new file mode 100755 index 0000000..111cb28 --- /dev/null +++ b/scripts/k.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +export KUBECONFIG=/etc/kubernetes/admin.conf + +kubectl "$@" \ No newline at end of file diff --git a/scripts/logs-proxy.sh b/scripts/logs-proxy.sh new file mode 100755 index 0000000..8614b58 --- /dev/null +++ b/scripts/logs-proxy.sh @@ -0,0 +1,50 @@ +#!/bin/sh + +if [ -z "$SSH_ORIGINAL_COMMAND" ] ; then + echo "" + echo "Usage: ssh logs [grep pattern]" + echo "Example: ssh logs shared matches-front 100" + echo "" + exit +fi + +NSPACE=`echo "$SSH_ORIGINAL_COMMAND" | awk '{print $1}'` + +if [ "$NSPACE" = "kube-system" ] || [ "$NSPACE" = "monitoring" ]; then + echo "Access denied." + exit +fi + +SERVICE=`echo "$SSH_ORIGINAL_COMMAND" | awk '{print $2}'` + +if [ -z $SERVICE ]; then + KUBECONFIG=/home/logs/k8s-admin-conf /usr/local/bin/kubectl -n ${NSPACE} get pods + exit +fi + +CONTAINER_NAME=`KUBECONFIG=/home/logs/k8s-admin-conf /usr/local/bin/kubectl -n ${NSPACE} get pods | grep "${SERVICE}" | awk '{print $1}'` +num_lines=$(echo "$CONTAINER_NAME" | wc -l) +if [ $num_lines -gt 1 ]; then + echo "Specify exact container name from:" + echo "" + echo "$CONTAINER_NAME" + echo "" + echo "Usage: ssh logs ${NSPACE} $SERVICE-rnd123 " + exit +fi +echo $CONTAINER_NAME + +TAIL=`echo "$SSH_ORIGINAL_COMMAND" | awk '{print $3}'` +if [ -n "$TAIL" ] && [ "$TAIL" -eq "$TAIL" ] 2>/dev/null; then + TAIL="--tail $TAIL" +else + TAIL='' +fi + +GREP_PATTERN=`echo "$SSH_ORIGINAL_COMMAND" | awk '{print $4}'` + +if [ -n "$GREP_PATTERN" ]; then + KUBECONFIG=/home/logs/k8s-admin-conf /usr/local/bin/kubectl -n ${NSPACE} logs --timestamps --follow $TAIL $CONTAINER_NAME --all-containers | grep -E $GREP_PATTERN +else + KUBECONFIG=/home/logs/k8s-admin-conf /usr/local/bin/kubectl -n ${NSPACE} logs --timestamps --follow $TAIL $CONTAINER_NAME --all-containers +fi; \ No newline at end of file diff --git a/scripts/omega-tunnel.sh b/scripts/omega-tunnel.sh new file mode 100755 index 0000000..6a4e25a --- /dev/null +++ b/scripts/omega-tunnel.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +APP="$SSH_ORIGINAL_COMMAND" + +case "$APP" in + omega-ps|omega-core|omega-tron|mssql) + ;; + *) + echo "Usage: ssh omega@master01 -t \n" + echo "Available containers:\n omega-ps\n omega-core\n omega-tron\n mssql" + exit +esac + +export KUBECONFIG=k8s-admin-sa-staging-conf + +POD=`kubectl -n staging get pods --selector="app=$APP" --output=go-template --template='{{range .items}}{{.metadata.name}}{{end}}'` +exec kubectl -n staging exec -it "$POD" -- bash -c 'PATH="$PATH:/opt/mssql-tools/bin" bash' \ No newline at end of file diff --git a/scripts/podspernode.sh b/scripts/podspernode.sh new file mode 100755 index 0000000..e09d123 --- /dev/null +++ b/scripts/podspernode.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +for node in `k get node --selector='!node-role.kubernetes.io/master' -o jsonpath='{.items[*].metadata.name}'`; do + echo -n "$node: " + k get pods --all-namespaces --no-headers --field-selector spec.nodeName=$node | wc -l +done \ No newline at end of file diff --git a/scripts/tcp-proxy.sh b/scripts/tcp-proxy.sh new file mode 100755 index 0000000..84765f1 --- /dev/null +++ b/scripts/tcp-proxy.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +# For each user who needs to use this script you may create the .authorized_keys file using the following pattern: +#command="/usr/local/bin/tcp-proxy",no-user-rc,no-x11-forwarding,no-agent-forwarding,no-pty,permitopen="127.0.0.1:23306",permitopen="127.0.0.1:21443" ssh-rsa user@host + +APP="$SSH_ORIGINAL_COMMAND" + +case "$APP" in + db) + USERPORT=23306 + TARGETPORT=3306 + ;; + mssql) + USERPORT=21443 + TARGETPORT=1433 + ;; + *) + echo "Usage: ssh remotecon@master01.staging.example.com -L3306:127.0.0.1:23306 " + echo "Available services:\nmssql \ndb" + exit +esac + +export KUBECONFIG=/home/remotecon/k8s-admin-sa-staging-conf + +SVC=`kubectl get svc $APP --output=go-template --template='{{.metadata.name}}'` +echo "Port forwarding $SVC:$TARGETPORT to 127.0.0.1:$USERPORT ..." + +FWDPID=`ps ax | grep "svc\/$SVC" | awk '{print $1}'` +if [ -z $FWDPID ] ; then + /usr/sbin/daemonize /usr/local/bin/kubectl port-forward svc/$SVC $USERPORT:$TARGETPORT + FWDPID=`ps ax | grep "svc\/$SVC" | awk '{print $1}'` + echo "Spawning new forwarder at pid $FWDPID." +else + echo "Using the running forwarder at pid $FWDPID." +fi +echo "Press any key to end the session..." +read X \ No newline at end of file diff --git a/setup-apps.sh b/setup-apps.sh new file mode 100755 index 0000000..3a76416 --- /dev/null +++ b/setup-apps.sh @@ -0,0 +1,169 @@ +#!/bin/bash + +echo "... ] Setup Applications [ ..." + +if [ -f config ]; then + echo "config file FOUND :)" + source config +else + echo "config file is missing." + exit 1 +fi +export CEPH_MONITOR_1 +export CEPH_MONITOR_2 +export CEPH_MONITOR_3 +export CLUSTER_DOMAIN +export REGISTRY_URL +export LOKI_STORAGE_SIZE +export LOKI_RETENTION + +allRunning() { + podStatus=$(kubectl get pods -n $1 -o=jsonpath='{range .items[*]}{.status.conditions[?(@.type=="ContainersReady")].status}{"\n"}{end}') + for elem in $podStatus + do + #echo $elem + if [ $elem != "True" ] + then + return 0 + fi + done + return 1 +} + +# Setup Helm repositories +helm repo add jetstack https://charts.jetstack.io +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo add grafana https://grafana.github.io/helm-charts +helm repo update + +# Setup ACME +if [ $CERT_MODE == "True" ] ; then + echo "] deploying cert-manager helm chart..." + kubectl create namespace cert-manager + kubectl -n cert-manager create secret generic cf-api-secret --from-literal=cf-api-key=${CLOUDFLARE_API_KEY} + kubectl apply -f yaml/cert-manager/cert-manager.crds.yaml + helm install \ + cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --version v1.1.0 \ + -f yaml/cert-manager/values.yaml + + echo "] Setup cert-manager issuers ... " + while : + do + allRunning cert-manager + allAreRunning=$? + if [ $allAreRunning == 1 ]; then + sleep 10 + break + fi + done + + cat yaml/cert-manager/letsencrypt-staging-clusterissuer.yaml | sed "s/var_acme_email/${ADMIN_EMAIL}/" | kubectl -n kube-system apply -f - + cat yaml/cert-manager/letsencrypt-staging-dns-clusterissuer.yaml | sed "s/var_acme_email/${ADMIN_EMAIL}/" | kubectl -n kube-system apply -f - + cat yaml/cert-manager/letsencrypt-production-clusterissuer.yaml | sed "s/var_acme_email/${ADMIN_EMAIL}/" | kubectl -n kube-system apply -f - + cat yaml/cert-manager/letsencrypt-production-dns-clusterissuer.yaml | sed "s/var_acme_email/${ADMIN_EMAIL}/" | kubectl -n kube-system apply -f - +fi + +# Setup Ingress-Nginx +kubectl create namespace ingress-nginx +if [ $CERT_MODE == "True" ] ; then + echo "] Deploying ingress-nginx helm chart WITH TLS termination in TCP/PROXY mode..." + k8x_proxy_mode="true" +else + echo "] Deploying ingress-nginx helm chart WITHOUT TLS termination in HTTP mode..." + k8x_proxy_mode="false" +fi +helm install \ + ingress-nginx ingress-nginx/ingress-nginx \ + --namespace ingress-nginx \ + --set-string controller.config.use-proxy-protocol="${k8x_proxy_mode}" \ + --set-string controller.maxmindLicenseKey="${MAXMIND_LIC}" \ + --version 3.34.0 \ + -f yaml/ingress-nginx/values.yaml + +# Setup Monitoring +kubectl create namespace monitoring +kubectl create namespace loki + +# Setup Zabbix +echo "] Deploying zabbix-agent for host monitoring..." +kubectl -n monitoring create secret generic zabbix-psk-secret --from-literal=zabbix_agentd.psk=${ZABBIX_PSK} +kubectl -n monitoring create secret generic zabbix-psk-id-secret --from-literal=zabbix_psk_id=${ZABBIX_PSK_ID} +cat yaml/monitoring/zabbix-agent-daemonset.yaml | sed "s/k8x_zabbix_server/${ZABBIX_SERVER}/" | kubectl -n monitoring apply -f - + +# Setup Prometheus metrics +echo "] Deploying prometheus for metrics aggregation..." +cat yaml/monitoring/prometheus-volumes.yaml | envsubst | kubectl apply -f - +helm install \ + prometheus prometheus-community/prometheus \ + --namespace monitoring \ + -f yaml/monitoring/prometheus-values.yaml + +# Setup PLG Stack +echo "] Deploying Promtail for logs aggregation ..." +#promtail +helm install \ + promtail grafana/promtail \ + --namespace monitoring \ + -f yaml/monitoring/promtail-values.yaml + +echo "] Deploying Loki for promtail aggregation ..." +cat yaml/monitoring/loki-v12-volumes.yaml | envsubst | kubectl apply -f - +helm install \ + loki grafana/loki \ + --namespace loki \ + -f yaml/monitoring/loki-v12-values-${LOKI_RETENTION}.yaml +cat yaml/monitoring/loki-v12-ext-svc.yaml | kubectl apply -f - + +echo "] Deploying Grafana for monitoring dashboard ..." +cat yaml/monitoring/grafana-volumes.yaml | envsubst | kubectl apply -f - +helm install \ + grafana grafana/grafana \ + --namespace monitoring \ + -f yaml/monitoring/grafana-values.yaml \ + --set env.GF_SMTP_ENABLED=true,env.GF_SMTP_HOST=${GRAFANA_SMTP_HOST},env.GF_SMTP_FROM_ADDRESS=${GRAFANA_SMTP_FROM_ADDRESS},env.GF_SMTP_USER=${GRAFANA_SMTP_USER},env.GF_SMTP_PASSWORD=${GRAFANA_SMTP_PASSWORD},env.GF_SMTP_SKIP_VERIFY=true +printf '\ngrafana login:\nuser: admin \npass: ' ; kubectl get secret --namespace monitoring grafana -o jsonpath="{.data.admin-password}" | base64 --decode ; echo +#kubectl -n monitoring create secret generic monitoring-http-secret --from-file=yaml/monitoring/auth +if [ $CERT_MODE == "True" ] ; then + cat yaml/monitoring/grafana-cert.yaml | envsubst | kubectl -n monitoring apply -f - + cat yaml/monitoring/grafana-ingress-secure.yaml | envsubst | kubectl -n monitoring apply -f - +else + cat yaml/monitoring/grafana-ingress.yaml | envsubst | kubectl -n monitoring apply -f - +fi + +# Setup Registry +echo "] Deploying docker registry ..." +kubectl create namespace registry +if [ $REGISTRY_INTERNAL == "True" ]; then + apt update + apt install daemonize apache2-utils -y + if [ -f /tmp/regsecret ]; then + rm /tmp/regsecret + fi + # Genrating registry-sec for the use of registry.yaml deployment for internal webserver auth + htpasswd -Bb -c /tmp/regsecret $REGISTRY_USER $REGISTRY_PASS + regpassstr=`cat /tmp/regsecret | base64 -w 0` + cat <" + exit 1 +fi + +apt update +apt install -y jq +cp -v scripts/create-sa.sh /usr/local/bin/create-sa + +nspace=$1 +export nspace + +# Setup namespace, Service Accounts, RBAC, Limit +printf "\nsetting up ${nspace}... \n" +cat yaml/system/namespace.yaml | envsubst | kubectl apply -f - +printf "\nsetting up Service Accounts... \n" +/usr/local/bin/create-sa admin-sa ${nspace} +/usr/local/bin/create-sa backup-agent-sa ${nspace} +sleep 5 +printf "\nsetting up RBAC... \n" +cat yaml/system/sa-rbac.yaml | envsubst | kubectl apply -f - +cat yaml/system/sa-rbac-backup-agent.yaml | envsubst | kubectl apply -f - +sleep 5 +printf "\nsetting up resource limits... \n" +kubectl -n $nspace apply -f yaml/system/namespace-resource-limits.yaml + +# Create a auth-keypair unique to the new namespace, to be used by external applications +printf "\nsetting up shared keypair secret... \n" +mkdir -p -v /root/secrets/kube +openssl ecparam -genkey -name prime256v1 -noout -out /root/secrets/kube/${nspace}_id_ecdsa +openssl ec -in /root/secrets/kube/${nspace}_id_ecdsa -pubout -out /root/secrets/kube/${nspace}_id_ecdsa.pub +kubectl -n $nspace create secret generic auth-keypair --from-file=id_ecdsa=/root/secrets/kube/${nspace}_id_ecdsa --from-file=id_ecdsa.pub=/tmp/${nspace}_id_ecdsa.pub +#rm /root/secrets/kube/${nspace}_id_ecdsa +#rm /root/secrets/kube/${nspace}_id_ecdsa.pub + +# Create wildcard certificate if we have cert-manager installed +if [ $CERT_MODE == "True" ] ; then + printf "\ncreate a wildcard certificate secret with letsencrypt for the defined namespace...\n" + cat yaml/system/namespace-wild-cert.yaml | envsubst | kubectl -n ${nspace} apply -f - +fi + +# Copy internal registry credentials from its namespace +kubectl -n registry get secret registry-internal -o yaml | sed "s/namespace: .*/namespace: ${nspace}/" | kubectl apply -f - + +# Path the default service account with registry-internal as ImagePullSecret +kubectl -n ${nspace} patch serviceaccount default -p '{"imagePullSecrets": [{"name": "registry-internal"}]}' diff --git a/setup-scripts.sh b/setup-scripts.sh new file mode 100755 index 0000000..47a958b --- /dev/null +++ b/setup-scripts.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +echo "] Setup helper scripts ... " +cp -v scripts/k.sh /usr/local/bin/k +cp -v scripts/health.sh /usr/local/bin/health +cp -v scripts/logs-proxy.sh /usr/local/bin/logs-proxy +cp -v scripts/tcp-proxy.sh /usr/local/bin/tcp-proxy +cp -v scripts/omega-tunnel.sh /usr/local/bin/omega-tunnel +cp -v scripts/create-sa.sh /usr/local/bin/create-sa +cp -v scripts/podspernode.sh /usr/local/bin/podspernode + +echo "] Setup k autocomplete ..." +echo "source <(kubectl completion bash)" > /root/.bashrc +echo "complete -F __start_kubectl k" >> /root/.bashrc + +echo "] Setup k9s ... " +curl -L https://github.com/derailed/k9s/releases/download/v0.24.10/k9s_v0.24.10_Linux_x86_64.tar.gz -o /tmp/k9s.tar.gz +tar xzvf /tmp/k9s.tar.gz k9s +mv -v k9s /usr/local/bin +rm /tmp/k9s.tar.gz \ No newline at end of file diff --git a/terraform/README.md b/terraform/README.md new file mode 100644 index 0000000..84c73b2 --- /dev/null +++ b/terraform/README.md @@ -0,0 +1,15 @@ +### Environment variables +- `TF_VAR_vultr_apikey` +- `TF_VAR_proxmox_node01_password` +- `TF_VAR_proxmox_node02_password` +- `TF_VAR_proxmox_node03_password` +- `TF_VAR_proxmox_node04_password` +- `TF_VAR_proxmox_node05_password` +### Create proxmox terraform user +``` +# Create the user +pveum user add terraform@pve --password hackme123 + +# Assign the user the correct role +pveum aclmod / -user terraform@pve -role Administrator +``` \ No newline at end of file diff --git a/terraform/staging/.gitlab-ci.yml b/terraform/staging/.gitlab-ci.yml new file mode 100644 index 0000000..8a457f6 --- /dev/null +++ b/terraform/staging/.gitlab-ci.yml @@ -0,0 +1,32 @@ +# To contribute improvements to CI/CD templates, please follow the Development guide at: +# https://docs.gitlab.com/ee/development/cicd/templates.html +# This specific template is located at: +# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml + +include: + - template: Terraform/Base.latest.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml + - template: Jobs/SAST-IaC.latest.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml + +stages: + - validate + - test + - build + - deploy + +fmt: + extends: .terraform:fmt + needs: [] + +validate: + extends: .terraform:validate + needs: [] + +build: + extends: .terraform:build + +deploy: + extends: .terraform:deploy + dependencies: + - build + environment: + name: $TF_STATE_NAME \ No newline at end of file diff --git a/terraform/staging/main.tf b/terraform/staging/main.tf new file mode 100644 index 0000000..29bcb38 --- /dev/null +++ b/terraform/staging/main.tf @@ -0,0 +1,50 @@ +terraform { + backend "http" { + } + required_providers { + proxmox = { + source = "Telmate/proxmox" + version = "2.8.0" + } + } +} + +provider "proxmox" { + alias = "prox01" + pm_api_url = "https://10.15.0.101:8006/api2/json" + pm_user = var.proxmox_user + pm_password = var.proxmox_node01_password + pm_tls_insecure = true +} + +provider "proxmox" { + alias = "prox02" + pm_api_url = "https://10.15.0.102:8006/api2/json" + pm_user = var.proxmox_user + pm_password = var.proxmox_node02_password + pm_tls_insecure = true +} + +provider "proxmox" { + alias = "prox03" + pm_api_url = "https://10.15.0.103:8006/api2/json" + pm_user = var.proxmox_user + pm_password = var.proxmox_node03_password + pm_tls_insecure = true +} + +provider "proxmox" { + alias = "prox04" + pm_api_url = "https://10.15.0.104:8006/api2/json" + pm_user = var.proxmox_user + pm_password = var.proxmox_node04_password + pm_tls_insecure = true +} + +provider "proxmox" { + alias = "prox05" + pm_api_url = "https://10.15.0.105:8006/api2/json" + pm_user = var.proxmox_user + pm_password = var.proxmox_node05_password + pm_tls_insecure = true +} \ No newline at end of file diff --git a/terraform/staging/variables.tf b/terraform/staging/variables.tf new file mode 100644 index 0000000..06d380c --- /dev/null +++ b/terraform/staging/variables.tf @@ -0,0 +1,28 @@ +variable "proxmox_user" { + default = "terraform@pve" +} + +variable "proxmox_node01_password" { + type = string + description = "prox01 pve pass" +} + +variable "proxmox_node02_password" { + type = string + description = "prox02 pve pass" +} + +variable "proxmox_node03_password" { + type = string + description = "prox03 pve pass" +} + +variable "proxmox_node04_password" { + type = string + description = "prox04 pve pass" +} + +variable "proxmox_node05_password" { + type = string + description = "prox05 pve pass" +} \ No newline at end of file diff --git a/terraform/testbed-hetzner/.gitlab-ci.yml b/terraform/testbed-hetzner/.gitlab-ci.yml new file mode 100644 index 0000000..8a457f6 --- /dev/null +++ b/terraform/testbed-hetzner/.gitlab-ci.yml @@ -0,0 +1,32 @@ +# To contribute improvements to CI/CD templates, please follow the Development guide at: +# https://docs.gitlab.com/ee/development/cicd/templates.html +# This specific template is located at: +# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml + +include: + - template: Terraform/Base.latest.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml + - template: Jobs/SAST-IaC.latest.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/SAST-IaC.latest.gitlab-ci.yml + +stages: + - validate + - test + - build + - deploy + +fmt: + extends: .terraform:fmt + needs: [] + +validate: + extends: .terraform:validate + needs: [] + +build: + extends: .terraform:build + +deploy: + extends: .terraform:deploy + dependencies: + - build + environment: + name: $TF_STATE_NAME \ No newline at end of file diff --git a/terraform/testbed-hetzner/k8s-masters.tf b/terraform/testbed-hetzner/k8s-masters.tf new file mode 100644 index 0000000..94a980e --- /dev/null +++ b/terraform/testbed-hetzner/k8s-masters.tf @@ -0,0 +1,35 @@ +resource "vultr_instance" "master01test" { + tag = "staging-testbed" + hostname = "master01.teststaging.example.com" + plan = "vc2-2c-4gb" + region = "ams" + os_id = "477" + enable_ipv6 = false + backups = "disabled" + ddos_protection = false + activation_email = true +} + +resource "vultr_instance" "master02test" { + tag = "staging-testbed" + hostname = "master02.teststaging.example.com" + plan = "vc2-2c-4gb" + region = "ams" + os_id = "477" + enable_ipv6 = false + backups = "disabled" + ddos_protection = false + activation_email = true +} + +resource "vultr_instance" "master03test" { + tag = "staging-testbed" + hostname = "master03.teststaging.example.com" + plan = "vc2-2c-4gb" + region = "ams" + os_id = "477" + enable_ipv6 = false + backups = "disabled" + ddos_protection = false + activation_email = true +} diff --git a/terraform/testbed-hetzner/k8s-workers.tf b/terraform/testbed-hetzner/k8s-workers.tf new file mode 100644 index 0000000..c8fe69f --- /dev/null +++ b/terraform/testbed-hetzner/k8s-workers.tf @@ -0,0 +1,41 @@ +resource "proxmox_vm_qemu" "worker01test" { + count = 1 + vmid = 211 + name = "worker01.teststaging.example.com" + target_node = "prox05" + clone = "debian-cloudinit" + os_type = "cloud-init" + cores = 4 + sockets = "1" + cpu = "kvm64" + memory = 4096 + scsihw = "virtio-scsi-pci" + bootdisk = "virtio0" + + disk { + id = 0 + size = 32 + type = "virtio" + storage = "local" + iothread = true + } + + network { + id = 0 + model = "virtio" + bridge = "vmbr0" + } + + lifecycle { + ignore_changes = [ + network, + ] + } + + # Cloud Init Settings + #ipconfig0 = "ip=212.83.177.200/24,gw=10.10.10.1" + cicustom = "network=local:snippets/networkworker01teststaging.yaml" + sshkeys = < { + instance_class = var.instance_type + } + } + monitoring_interval = 60 + iam_role_use_name_prefix = false + iam_role_name = "${var.prefix}-rds-monitoring-role" + kms_key_id = module.kms.key_arn + vpc_id = module.vpc.vpc_id + subnets = module.vpc.database_subnets + + database_name = var.database_name + create_db_cluster_parameter_group = var.create_db_cluster_parameter_group + db_cluster_parameter_group_family = var.parameter_group_family + db_cluster_parameter_group_name = var.cluster_name + + availability_zones = var.azs + enabled_cloudwatch_logs_exports = var.cloud_watch_exports + master_password = random_password.password.result + master_username = var.db_master_username + create_random_password = false + allowed_security_groups = [module.eks_cluster.security_group_id] +} + +############### SECRET MANAGER ###################### + + +data "aws_secretsmanager_secret" "secretmasterdb" { + arn = aws_secretsmanager_secret.secretmasterdb.arn +} + +data "aws_secretsmanager_secret_version" "creds" { + secret_id = data.aws_secretsmanager_secret.secretmasterdb.arn + depends_on = [aws_secretsmanager_secret_version.sversion] +} + +locals { + db_creds = jsondecode(data.aws_secretsmanager_secret_version.creds.secret_string) +} + +resource "random_password" "password" { + length = 24 + override_special = "!#$%&*()-_=+[]{}<>:?" +} + +resource "random_integer" "random" { + min = 100 + max = 999 +} + +resource "aws_secretsmanager_secret" "secretmasterdb" { + name = "${var.prefix}-${var.db_master_username}-${random_integer.random.result}" + kms_key_id = module.kms.key_arn +} + +resource "aws_secretsmanager_secret_version" "sversion" { + secret_id = aws_secretsmanager_secret.secretmasterdb.id + secret_string = <.`. For DNS01 challenges, + this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT + record content.' + type: string + solver: + description: Solver contains the domain solving configuration that + should be used to solve this challenge resource. + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations + by performing the DNS01 challenge flow. + properties: + acmedns: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API to manage + DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: Use the Microsoft Azure DNS API to manage DNS01 + challenge records. + properties: + clientID: + description: if both this and ClientSecret are left unset + MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset + MSI will be used + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + clouddns: + description: Use the Google Cloud DNS API to manage DNS01 + challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field that + tells cert-manager in which Cloud DNS zone the challenge + record has to be created. If left empty cert-manager + will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge + records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the + recommended method as it allows greater control of permissions.' + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required when + using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 + challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name + System") (https://datatracker.ietf.org/doc/rfc2136/) to + manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed in + square brackets (e.g [2001:db8::1]) ; port is optional. + This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS + supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values are + (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is + required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is + required. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 challenge + records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the + route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 challenge + solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values + should not be specified in this stanza. If secret values + are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret + resource. For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete authorizations + by performing the HTTP01 challenge flow. It is not possible + to obtain certificates for wildcard domain names (e.g. `*.example.com`) + using the HTTP01 challenge mechanism. + properties: + ingress: + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels or + annotations overlap with in-built values, the values + here will override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added to the + created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it + in order to solve HTTP01 challenges. This is typically + used in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod used + to solve HTTP01 challenges. Only the 'labels' and + 'annotations' fields may be set. If labels or annotations + overlap with in-built values, the values here will + override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added to the + created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, + associated with the corresponding + weight. + properties: + matchExpressions: + description: A list of node + selector requirements by node's + labels. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements by node's + fields. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + items: + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type + implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements by node's + labels. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements by node's + fields. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key matches + that of any node on which a pod of + the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key matches + that of any node on which a pod of + the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes solver + service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver has + a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames + selector will take precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + type: object + type: object + type: object + token: + description: Token is the ACME challenge token for this challenge. + This is the raw value returned from the ACME server. + type: string + type: + description: Type is the type of ACME challenge this resource represents. + One of "http-01" or "dns-01". + enum: + - http-01 + - dns-01 + type: string + url: + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + this challenge. + type: string + wildcard: + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com'. + type: boolean + required: + - authzURL + - dnsName + - issuerRef + - key + - solver + - token + - type + - url + type: object + status: + properties: + presented: + description: Presented will be set to true if the challenge values + for this challenge are currently 'presented'. This *does not* imply + the self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the + 'scheduling' component. It will only be set to false by the 'challenges' + controller, after the challenge has reached a final state or timed + out. If this field is set to false, the challenge controller will + not take any more action. + type: boolean + reason: + description: Reason contains human readable information on why the + Challenge is in the current state. + type: string + state: + description: State contains the current 'state' of the challenge. + If not set, the state of the challenge is unknown. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + type: object + required: + - metadata + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.dnsName + name: Domain + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + description: Challenge is a type to represent a Challenge request with an + ACME server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + authzURL: + description: AuthzURL is the URL to the ACME Authorization resource + that this challenge is a part of. + type: string + dnsName: + description: DNSName is the identifier that this challenge is for, + e.g. example.com. If the requested DNSName is a 'wildcard', this + field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, + it must be `example.com`. + type: string + issuerRef: + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Challenge. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Challenge will + be marked as failed. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + key: + description: 'Key is the ACME challenge key for this challenge For + HTTP01 challenges, this is the value that must be responded with + to complete the HTTP01 challenge in the format: `.`. For DNS01 challenges, + this is the base64 encoded SHA256 sum of the `.` text that must be set as the TXT + record content.' + type: string + solver: + description: Solver contains the domain solving configuration that + should be used to solve this challenge resource. + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations + by performing the DNS01 challenge flow. + properties: + acmedns: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API to manage + DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: Use the Microsoft Azure DNS API to manage DNS01 + challenge records. + properties: + clientID: + description: if both this and ClientSecret are left unset + MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset + MSI will be used + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + clouddns: + description: Use the Google Cloud DNS API to manage DNS01 + challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field that + tells cert-manager in which Cloud DNS zone the challenge + record has to be created. If left empty cert-manager + will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge + records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the + recommended method as it allows greater control of permissions.' + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required when + using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 + challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name + System") (https://datatracker.ietf.org/doc/rfc2136/) to + manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed in + square brackets (e.g [2001:db8::1]) ; port is optional. + This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS + supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values are + (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is + required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is + required. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 challenge + records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the + route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 challenge + solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values + should not be specified in this stanza. If secret values + are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret + resource. For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete authorizations + by performing the HTTP01 challenge flow. It is not possible + to obtain certificates for wildcard domain names (e.g. `*.example.com`) + using the HTTP01 challenge mechanism. + properties: + ingress: + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels or + annotations overlap with in-built values, the values + here will override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added to the + created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it + in order to solve HTTP01 challenges. This is typically + used in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod used + to solve HTTP01 challenges. Only the 'labels' and + 'annotations' fields may be set. If labels or annotations + overlap with in-built values, the values here will + override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added to the + created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, + associated with the corresponding + weight. + properties: + matchExpressions: + description: A list of node + selector requirements by node's + labels. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements by node's + fields. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + items: + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type + implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements by node's + labels. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements by node's + fields. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key matches + that of any node on which a pod of + the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key matches + that of any node on which a pod of + the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes solver + service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver has + a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames + selector will take precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + type: object + type: object + type: object + token: + description: Token is the ACME challenge token for this challenge. + This is the raw value returned from the ACME server. + type: string + type: + description: Type is the type of ACME challenge this resource represents. + One of "http-01" or "dns-01". + enum: + - http-01 + - dns-01 + type: string + url: + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + this challenge. + type: string + wildcard: + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com'. + type: boolean + required: + - authzURL + - dnsName + - issuerRef + - key + - solver + - token + - type + - url + type: object + status: + properties: + presented: + description: Presented will be set to true if the challenge values + for this challenge are currently 'presented'. This *does not* imply + the self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the + 'scheduling' component. It will only be set to false by the 'challenges' + controller, after the challenge has reached a final state or timed + out. If this field is set to false, the challenge controller will + not take any more action. + type: boolean + reason: + description: Reason contains human readable information on why the + Challenge is in the current state. + type: string + state: + description: State contains the current 'state' of the challenge. + If not set, the state of the challenge is unknown. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + type: object + required: + - metadata + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.dnsName + name: Domain + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Challenge is a type to represent a Challenge request with an + ACME server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + authorizationURL: + description: The URL to the ACME Authorization resource that this + challenge is a part of. + type: string + dnsName: + description: dnsName is the identifier that this challenge is for, + e.g. example.com. If the requested DNSName is a 'wildcard', this + field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, + it must be `example.com`. + type: string + issuerRef: + description: References a properly configured ACME-type Issuer which + should be used to create this Challenge. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Challenge will be marked + as failed. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + key: + description: 'The ACME challenge key for this challenge For HTTP01 + challenges, this is the value that must be responded with to complete + the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is + the base64 encoded SHA256 sum of the `.` text that must be set as the TXT + record content.' + type: string + solver: + description: Contains the domain solving configuration that should + be used to solve this challenge resource. + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations + by performing the DNS01 challenge flow. + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API to manage + DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 + challenge records. + properties: + clientID: + description: if both this and ClientSecret are left unset + MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset + MSI will be used + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 + challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field that + tells cert-manager in which Cloud DNS zone the challenge + record has to be created. If left empty cert-manager + will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge + records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the + recommended method as it allows greater control of permissions.' + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required when + using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 + challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name + System") (https://datatracker.ietf.org/doc/rfc2136/) to + manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed in + square brackets (e.g [2001:db8::1]) ; port is optional. + This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS + supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values are + (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is + required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is + required. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 challenge + records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the + route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 challenge + solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values + should not be specified in this stanza. If secret values + are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret + resource. For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete authorizations + by performing the HTTP01 challenge flow. It is not possible + to obtain certificates for wildcard domain names (e.g. `*.example.com`) + using the HTTP01 challenge mechanism. + properties: + ingress: + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels or + annotations overlap with in-built values, the values + here will override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added to the + created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it + in order to solve HTTP01 challenges. This is typically + used in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod used + to solve HTTP01 challenges. Only the 'labels' and + 'annotations' fields may be set. If labels or annotations + overlap with in-built values, the values here will + override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added to the + created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, + associated with the corresponding + weight. + properties: + matchExpressions: + description: A list of node + selector requirements by node's + labels. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements by node's + fields. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + items: + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type + implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements by node's + labels. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements by node's + fields. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key matches + that of any node on which a pod of + the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key matches + that of any node on which a pod of + the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes solver + service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver has + a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames + selector will take precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + type: object + type: object + type: object + token: + description: The ACME challenge token for this challenge. This is + the raw value returned from the ACME server. + type: string + type: + description: The type of ACME challenge this resource represents. + One of "HTTP-01" or "DNS-01". + enum: + - HTTP-01 + - DNS-01 + type: string + url: + description: The URL of the ACME Challenge resource for this challenge. + This can be used to lookup details about the status of this challenge. + type: string + wildcard: + description: wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com'. + type: boolean + required: + - authorizationURL + - dnsName + - issuerRef + - key + - solver + - token + - type + - url + type: object + status: + properties: + presented: + description: presented will be set to true if the challenge values + for this challenge are currently 'presented'. This *does not* imply + the self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Used to denote whether this challenge should be processed + or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + more action. + type: boolean + reason: + description: Contains human readable information on why the Challenge + is in the current state. + type: string + state: + description: Contains the current 'state' of the challenge. If not + set, the state of the challenge is unknown. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.dnsName + name: Domain + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Challenge is a type to represent a Challenge request with an + ACME server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + authorizationURL: + description: The URL to the ACME Authorization resource that this + challenge is a part of. + type: string + dnsName: + description: dnsName is the identifier that this challenge is for, + e.g. example.com. If the requested DNSName is a 'wildcard', this + field MUST be set to the non-wildcard domain, e.g. for `*.example.com`, + it must be `example.com`. + type: string + issuerRef: + description: References a properly configured ACME-type Issuer which + should be used to create this Challenge. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Challenge will be marked + as failed. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + key: + description: 'The ACME challenge key for this challenge For HTTP01 + challenges, this is the value that must be responded with to complete + the HTTP01 challenge in the format: `.`. For DNS01 challenges, this is + the base64 encoded SHA256 sum of the `.` text that must be set as the TXT + record content.' + type: string + solver: + description: Contains the domain solving configuration that should + be used to solve this challenge resource. + properties: + dns01: + description: Configures cert-manager to attempt to complete authorizations + by performing the DNS01 challenge flow. + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API to manage + DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azureDNS: + description: Use the Microsoft Azure DNS API to manage DNS01 + challenge records. + properties: + clientID: + description: if both this and ClientSecret are left unset + MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left unset + MSI will be used + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + cloudDNS: + description: Use the Google Cloud DNS API to manage DNS01 + challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field that + tells cert-manager in which Cloud DNS zone the challenge + record has to be created. If left empty cert-manager + will automatically choose a zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 challenge + records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with Cloudflare. + Note: using an API token to authenticate is now the + recommended method as it allows greater control of permissions.' + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with Cloudflare. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required when + using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage DNS01 + challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within a + Secret resource. In some instances, `key` is a required + field. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain Name + System") (https://datatracker.ietf.org/doc/rfc2136/) to + manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed in + square brackets (e.g [2001:db8::1]) ; port is optional. + This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS + supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values are + (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, + ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ``tsigSecretSecretRef`` is defined, this field is + required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG + value. If ``tsigKeyName`` is defined, this field is + required. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 challenge + records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the + route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 challenge + solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values + should not be specified in this stanza. If secret values + are needed (e.g. credentials for a DNS service), you + should use a SecretKeySelector to reference a Secret + resource. For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete authorizations + by performing the HTTP01 challenge flow. It is not possible + to obtain certificates for wildcard domain names (e.g. `*.example.com`) + using the HTTP01 challenge mechanism. + properties: + ingress: + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels or + annotations overlap with in-built values, the values + here will override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be added + to the created ACME HTTP01 solver ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added to the + created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it + in order to solve HTTP01 challenges. This is typically + used in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod used + to solve HTTP01 challenges. Only the 'labels' and + 'annotations' fields may be set. If labels or annotations + overlap with in-built values, the values here will + override the in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be added + to the create ACME HTTP01 solver pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added to the + created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, + associated with the corresponding + weight. + properties: + matchExpressions: + description: A list of node + selector requirements by node's + labels. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements by node's + fields. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to an update), + the system may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + items: + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type + implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements by node's + labels. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements by node's + fields. + items: + description: A node selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array + of string values. If + the operator is In or + NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the + values array must be + empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will + be interpreted as an + integer. This array + is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified by + this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key matches + that of any node on which a pod of + the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose a node + that violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by + iterating through the elements of this + field and adding "weight" to the sum + if the node has pods which matches the + corresponding podAffinityTerm; the node(s) + with the highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met + at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity + requirements specified by this field + cease to be met at some point during + pod execution (e.g. due to a pod label + update), the system may or may not try + to eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value of + the label with key matches + that of any node on which a pod of + the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this case + pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a + key, and an operator that + relates the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator + represents a key's relationship + to a set of values. + Valid operators are + In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is + an array of string values. + If the operator is In + or NotIn, the values + array must be non-empty. + If the operator is Exists + or DoesNotExist, the + values array must be + empty. This array is + replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in the + matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not co-located + (anti-affinity) with the pods + matching the labelSelector in + the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match all + taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints + of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. + By default, it is not set, which means + tolerate the taint forever (do not evict). + Zero and negative values will be treated + as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the + toleration matches to. If the operator + is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes solver + service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver has + a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames + selector will take precedence over a dnsZones selector. + If multiple solvers match with the same dnsNames value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + type: object + type: object + type: object + token: + description: The ACME challenge token for this challenge. This is + the raw value returned from the ACME server. + type: string + type: + description: The type of ACME challenge this resource represents. + One of "HTTP-01" or "DNS-01". + enum: + - HTTP-01 + - DNS-01 + type: string + url: + description: The URL of the ACME Challenge resource for this challenge. + This can be used to lookup details about the status of this challenge. + type: string + wildcard: + description: wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com'. + type: boolean + required: + - authorizationURL + - dnsName + - issuerRef + - key + - solver + - token + - type + - url + type: object + status: + properties: + presented: + description: presented will be set to true if the challenge values + for this challenge are currently 'presented'. This *does not* imply + the self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Used to denote whether this challenge should be processed + or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + more action. + type: boolean + reason: + description: Contains human readable information on why the Challenge + is in the current state. + type: string + state: + description: Contains the current 'state' of the challenge. If not + set, the state of the challenge is unknown. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca + labels: + app: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + name: clusterissuers.cert-manager.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: cert-manager-webhook + namespace: cert-manager + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + properties: + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account + key. If true, the Issuer resource will *not* request a new account + but will expect the account key to be supplied via an existing + secret. If false, the cert-manager system will generate a new + ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates + that matches the duration of the certificate. This is not supported + by all ACME servers like Let's Encrypt. If set to true when + the ACME server does not support it it will create an error + on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + properties: + keyAlgorithm: + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + enum: + - HS256 + - HS384 + - HS512 + type: string + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + URL encoded data. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - keyAlgorithm + - keyID + - keySecretRef + type: object + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server + outputs multiple. PreferredChain is no guarantee that this one + gets delivered by the ACME endpoint. For example, for Let''s + Encrypt''s DST crosssign you would use: "DST Root CA X3" or + "ISRG Root X1" for the newer Let''s Encrypt root CA. This value + picks the first certificate bundle in the ACME alternative chains + that has a certificate with this value as its issuer''s CN' + maxLength: 64 + type: string + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + server: + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + false. + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + items: + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + provided. + properties: + dns01: + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + properties: + acmedns: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + properties: + clientID: + description: if both this and ClientSecret are left + unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left + unset MSI will be used + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + clouddns: + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 + challenge records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with + Cloudflare. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required + when using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port + is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 + challenge records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + mechanism. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the created ACME HTTP01 solver + ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the create ACME HTTP01 solver + pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity + scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service + account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine + the set of certificate's that this challenge solver + will apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + vault: + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + properties: + auth: + description: Auth configures how cert-manager authenticates with + the Vault server. + properties: + appRole: + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + properties: + path: + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + role secret. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + to the Vault server. + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting + a token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + type: object + caBundle: + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + the TLS connection. + format: byte + type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set + of features within Vault Enterprise that allows Vault environments + to support Secure Multi-tenancy. e.g: "ns1" More about namespaces + can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + type: string + required: + - auth + - path + - server + type: object + venafi: + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + type: string + required: + - apiTokenSecretRef + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + properties: + acme: + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + certificates. + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + properties: + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account + key. If true, the Issuer resource will *not* request a new account + but will expect the account key to be supplied via an existing + secret. If false, the cert-manager system will generate a new + ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates + that matches the duration of the certificate. This is not supported + by all ACME servers like Let's Encrypt. If set to true when + the ACME server does not support it it will create an error + on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + properties: + keyAlgorithm: + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + enum: + - HS256 + - HS384 + - HS512 + type: string + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + URL encoded data. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - keyAlgorithm + - keyID + - keySecretRef + type: object + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server + outputs multiple. PreferredChain is no guarantee that this one + gets delivered by the ACME endpoint. For example, for Let''s + Encrypt''s DST crosssign you would use: "DST Root CA X3" or + "ISRG Root X1" for the newer Let''s Encrypt root CA. This value + picks the first certificate bundle in the ACME alternative chains + that has a certificate with this value as its issuer''s CN' + maxLength: 64 + type: string + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + server: + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + false. + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + items: + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + provided. + properties: + dns01: + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + properties: + acmedns: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + properties: + clientID: + description: if both this and ClientSecret are left + unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left + unset MSI will be used + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + clouddns: + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 + challenge records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with + Cloudflare. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required + when using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port + is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 + challenge records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + mechanism. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the created ACME HTTP01 solver + ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the create ACME HTTP01 solver + pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity + scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service + account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine + the set of certificate's that this challenge solver + will apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + vault: + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + properties: + auth: + description: Auth configures how cert-manager authenticates with + the Vault server. + properties: + appRole: + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + properties: + path: + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + role secret. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + to the Vault server. + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting + a token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + type: object + caBundle: + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + the TLS connection. + format: byte + type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set + of features within Vault Enterprise that allows Vault environments + to support Secure Multi-tenancy. e.g: "ns1" More about namespaces + can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + type: string + required: + - auth + - path + - server + type: object + venafi: + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + type: string + required: + - apiTokenSecretRef + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + properties: + acme: + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + certificates. + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + properties: + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account + key. If true, the Issuer resource will *not* request a new account + but will expect the account key to be supplied via an existing + secret. If false, the cert-manager system will generate a new + ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates + that matches the duration of the certificate. This is not supported + by all ACME servers like Let's Encrypt. If set to true when + the ACME server does not support it it will create an error + on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + properties: + keyAlgorithm: + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + enum: + - HS256 + - HS384 + - HS512 + type: string + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + URL encoded data. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - keyAlgorithm + - keyID + - keySecretRef + type: object + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server + outputs multiple. PreferredChain is no guarantee that this one + gets delivered by the ACME endpoint. For example, for Let''s + Encrypt''s DST crosssign you would use: "DST Root CA X3" or + "ISRG Root X1" for the newer Let''s Encrypt root CA. This value + picks the first certificate bundle in the ACME alternative chains + that has a certificate with this value as its issuer''s CN' + maxLength: 64 + type: string + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + server: + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + false. + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + items: + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + provided. + properties: + dns01: + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azureDNS: + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + properties: + clientID: + description: if both this and ClientSecret are left + unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left + unset MSI will be used + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + cloudDNS: + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 + challenge records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with + Cloudflare. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required + when using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port + is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 + challenge records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + mechanism. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the created ACME HTTP01 solver + ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the create ACME HTTP01 solver + pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity + scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service + account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine + the set of certificate's that this challenge solver + will apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + vault: + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + properties: + auth: + description: Auth configures how cert-manager authenticates with + the Vault server. + properties: + appRole: + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + properties: + path: + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + role secret. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + to the Vault server. + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting + a token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + type: object + caBundle: + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + the TLS connection. + format: byte + type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set + of features within Vault Enterprise that allows Vault environments + to support Secure Multi-tenancy. e.g: "ns1" More about namespaces + can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + type: string + required: + - auth + - path + - server + type: object + venafi: + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + type: string + required: + - apiTokenSecretRef + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + properties: + acme: + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + certificates. + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: A ClusterIssuer represents a certificate issuing authority which + can be referenced as part of `issuerRef` fields. It is similar to an Issuer, + however it is cluster-scoped and therefore can be referenced by resources + that exist in *any* namespace, not just the same namespace as the referent. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the ClusterIssuer resource. + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + properties: + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account + key. If true, the Issuer resource will *not* request a new account + but will expect the account key to be supplied via an existing + secret. If false, the cert-manager system will generate a new + ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates + that matches the duration of the certificate. This is not supported + by all ACME servers like Let's Encrypt. If set to true when + the ACME server does not support it it will create an error + on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + properties: + keyAlgorithm: + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + enum: + - HS256 + - HS384 + - HS512 + type: string + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + URL encoded data. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - keyAlgorithm + - keyID + - keySecretRef + type: object + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server + outputs multiple. PreferredChain is no guarantee that this one + gets delivered by the ACME endpoint. For example, for Let''s + Encrypt''s DST crosssign you would use: "DST Root CA X3" or + "ISRG Root X1" for the newer Let''s Encrypt root CA. This value + picks the first certificate bundle in the ACME alternative chains + that has a certificate with this value as its issuer''s CN' + maxLength: 64 + type: string + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + server: + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + false. + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + items: + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + provided. + properties: + dns01: + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azureDNS: + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + properties: + clientID: + description: if both this and ClientSecret are left + unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left + unset MSI will be used + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + cloudDNS: + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 + challenge records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with + Cloudflare. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required + when using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port + is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 + challenge records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + mechanism. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the created ACME HTTP01 solver + ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the create ACME HTTP01 solver + pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity + scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service + account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine + the set of certificate's that this challenge solver + will apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + vault: + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + properties: + auth: + description: Auth configures how cert-manager authenticates with + the Vault server. + properties: + appRole: + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + properties: + path: + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + role secret. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + to the Vault server. + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting + a token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + type: object + caBundle: + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + the TLS connection. + format: byte + type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set + of features within Vault Enterprise that allows Vault environments + to support Secure Multi-tenancy. e.g: "ns1" More about namespaces + can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + type: string + required: + - auth + - path + - server + type: object + venafi: + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + type: string + required: + - apiTokenSecretRef + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: Status of the ClusterIssuer. This is set and managed automatically. + properties: + acme: + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + certificates. + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca + labels: + app: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + name: issuers.cert-manager.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: cert-manager-webhook + namespace: cert-manager + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Issuer resource. + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + properties: + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account + key. If true, the Issuer resource will *not* request a new account + but will expect the account key to be supplied via an existing + secret. If false, the cert-manager system will generate a new + ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates + that matches the duration of the certificate. This is not supported + by all ACME servers like Let's Encrypt. If set to true when + the ACME server does not support it it will create an error + on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + properties: + keyAlgorithm: + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + enum: + - HS256 + - HS384 + - HS512 + type: string + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + URL encoded data. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - keyAlgorithm + - keyID + - keySecretRef + type: object + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server + outputs multiple. PreferredChain is no guarantee that this one + gets delivered by the ACME endpoint. For example, for Let''s + Encrypt''s DST crosssign you would use: "DST Root CA X3" or + "ISRG Root X1" for the newer Let''s Encrypt root CA. This value + picks the first certificate bundle in the ACME alternative chains + that has a certificate with this value as its issuer''s CN' + maxLength: 64 + type: string + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + server: + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + false. + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + items: + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + provided. + properties: + dns01: + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + properties: + acmedns: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + properties: + clientID: + description: if both this and ClientSecret are left + unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left + unset MSI will be used + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + clouddns: + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 + challenge records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with + Cloudflare. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required + when using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port + is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 + challenge records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + mechanism. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the created ACME HTTP01 solver + ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the create ACME HTTP01 solver + pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity + scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service + account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine + the set of certificate's that this challenge solver + will apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + vault: + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + properties: + auth: + description: Auth configures how cert-manager authenticates with + the Vault server. + properties: + appRole: + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + properties: + path: + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + role secret. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + to the Vault server. + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting + a token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + type: object + caBundle: + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + the TLS connection. + format: byte + type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set + of features within Vault Enterprise that allows Vault environments + to support Secure Multi-tenancy. e.g: "ns1" More about namespaces + can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + type: string + required: + - auth + - path + - server + type: object + venafi: + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + type: string + required: + - apiTokenSecretRef + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: Status of the Issuer. This is set and managed automatically. + properties: + acme: + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + certificates. + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Issuer resource. + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + properties: + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account + key. If true, the Issuer resource will *not* request a new account + but will expect the account key to be supplied via an existing + secret. If false, the cert-manager system will generate a new + ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates + that matches the duration of the certificate. This is not supported + by all ACME servers like Let's Encrypt. If set to true when + the ACME server does not support it it will create an error + on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + properties: + keyAlgorithm: + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + enum: + - HS256 + - HS384 + - HS512 + type: string + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + URL encoded data. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - keyAlgorithm + - keyID + - keySecretRef + type: object + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server + outputs multiple. PreferredChain is no guarantee that this one + gets delivered by the ACME endpoint. For example, for Let''s + Encrypt''s DST crosssign you would use: "DST Root CA X3" or + "ISRG Root X1" for the newer Let''s Encrypt root CA. This value + picks the first certificate bundle in the ACME alternative chains + that has a certificate with this value as its issuer''s CN' + maxLength: 64 + type: string + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + server: + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + false. + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + items: + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + provided. + properties: + dns01: + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + properties: + acmedns: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + properties: + clientID: + description: if both this and ClientSecret are left + unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left + unset MSI will be used + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + clouddns: + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 + challenge records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with + Cloudflare. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required + when using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port + is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 + challenge records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + mechanism. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the created ACME HTTP01 solver + ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the create ACME HTTP01 solver + pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity + scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service + account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine + the set of certificate's that this challenge solver + will apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + vault: + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + properties: + auth: + description: Auth configures how cert-manager authenticates with + the Vault server. + properties: + appRole: + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + properties: + path: + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + role secret. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + to the Vault server. + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting + a token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + type: object + caBundle: + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + the TLS connection. + format: byte + type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set + of features within Vault Enterprise that allows Vault environments + to support Secure Multi-tenancy. e.g: "ns1" More about namespaces + can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + type: string + required: + - auth + - path + - server + type: object + venafi: + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + type: string + required: + - apiTokenSecretRef + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: Status of the Issuer. This is set and managed automatically. + properties: + acme: + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + certificates. + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Issuer resource. + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + properties: + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account + key. If true, the Issuer resource will *not* request a new account + but will expect the account key to be supplied via an existing + secret. If false, the cert-manager system will generate a new + ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates + that matches the duration of the certificate. This is not supported + by all ACME servers like Let's Encrypt. If set to true when + the ACME server does not support it it will create an error + on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + properties: + keyAlgorithm: + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + enum: + - HS256 + - HS384 + - HS512 + type: string + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + URL encoded data. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - keyAlgorithm + - keyID + - keySecretRef + type: object + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server + outputs multiple. PreferredChain is no guarantee that this one + gets delivered by the ACME endpoint. For example, for Let''s + Encrypt''s DST crosssign you would use: "DST Root CA X3" or + "ISRG Root X1" for the newer Let''s Encrypt root CA. This value + picks the first certificate bundle in the ACME alternative chains + that has a certificate with this value as its issuer''s CN' + maxLength: 64 + type: string + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + server: + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + false. + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + items: + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + provided. + properties: + dns01: + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azureDNS: + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + properties: + clientID: + description: if both this and ClientSecret are left + unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left + unset MSI will be used + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + cloudDNS: + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 + challenge records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with + Cloudflare. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required + when using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port + is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 + challenge records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + mechanism. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the created ACME HTTP01 solver + ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the create ACME HTTP01 solver + pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity + scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service + account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine + the set of certificate's that this challenge solver + will apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + vault: + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + properties: + auth: + description: Auth configures how cert-manager authenticates with + the Vault server. + properties: + appRole: + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + properties: + path: + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + role secret. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + to the Vault server. + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting + a token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + type: object + caBundle: + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + the TLS connection. + format: byte + type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set + of features within Vault Enterprise that allows Vault environments + to support Secure Multi-tenancy. e.g: "ns1" More about namespaces + can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + type: string + required: + - auth + - path + - server + type: object + venafi: + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + type: string + required: + - apiTokenSecretRef + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: Status of the Issuer. This is set and managed automatically. + properties: + acme: + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + certificates. + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - jsonPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: An Issuer represents a certificate issuing authority which can + be referenced as part of `issuerRef` fields. It is scoped to a single namespace + and can therefore only be referenced by resources within the same namespace. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Desired state of the Issuer resource. + properties: + acme: + description: ACME configures this issuer to communicate with a RFC8555 + (ACME) server to obtain signed x509 certificates. + properties: + disableAccountKeyGeneration: + description: Enables or disables generating a new ACME account + key. If true, the Issuer resource will *not* request a new account + but will expect the account key to be supplied via an existing + secret. If false, the cert-manager system will generate a new + ACME account key for the Issuer. Defaults to false. + type: boolean + email: + description: Email is the email address to be associated with + the ACME account. This field is optional, but it is strongly + recommended to be set. It will be used to contact you in case + of issues with your account or certificates, including expiry + notification emails. This field may be updated after the account + is initially registered. + type: string + enableDurationFeature: + description: Enables requesting a Not After date on certificates + that matches the duration of the certificate. This is not supported + by all ACME servers like Let's Encrypt. If set to true when + the ACME server does not support it it will create an error + on the Order. Defaults to false. + type: boolean + externalAccountBinding: + description: ExternalAccountBinding is a reference to a CA external + account of the ACME server. If set, upon registration cert-manager + will attempt to associate the given external account credentials + with the registered ACME account. + properties: + keyAlgorithm: + description: keyAlgorithm is the MAC key algorithm that the + key is used for. Valid values are "HS256", "HS384" and "HS512". + enum: + - HS256 + - HS384 + - HS512 + type: string + keyID: + description: keyID is the ID of the CA key that the External + Account is bound to. + type: string + keySecretRef: + description: keySecretRef is a Secret Key Selector referencing + a data item in a Kubernetes Secret which holds the symmetric + MAC key of the External Account Binding. The `key` is the + index string that is paired with the key data in the Secret + and should not be confused with the key data itself, or + indeed with the External Account Binding keyID above. The + secret key stored in the Secret **must** be un-padded, base64 + URL encoded data. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - keyAlgorithm + - keyID + - keySecretRef + type: object + preferredChain: + description: 'PreferredChain is the chain to use if the ACME server + outputs multiple. PreferredChain is no guarantee that this one + gets delivered by the ACME endpoint. For example, for Let''s + Encrypt''s DST crosssign you would use: "DST Root CA X3" or + "ISRG Root X1" for the newer Let''s Encrypt root CA. This value + picks the first certificate bundle in the ACME alternative chains + that has a certificate with this value as its issuer''s CN' + maxLength: 64 + type: string + privateKeySecretRef: + description: PrivateKey is the name of a Kubernetes Secret resource + that will be used to store the automatically generated ACME + account private key. Optionally, a `key` may be specified to + select a specific entry within the named Secret resource. If + `key` is not specified, a default of `tls.key` will be used. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field may + be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + server: + description: 'Server is the URL used to access the ACME server''s + ''directory'' endpoint. For example, for Let''s Encrypt''s staging + endpoint, you would use: "https://acme-staging-v02.api.letsencrypt.org/directory". + Only ACME v2 endpoints (i.e. RFC 8555) are supported.' + type: string + skipTLSVerify: + description: Enables or disables validation of the ACME server + TLS certificate. If true, requests to the ACME server will not + have their TLS certificate validated (i.e. insecure connections + will be allowed). Only enable this option in development environments. + The cert-manager system installed roots will be used to verify + connections to the ACME server if this is false. Defaults to + false. + type: boolean + solvers: + description: 'Solvers is a list of challenge solvers that will + be used to solve ACME challenges for the matching domains. Solver + configurations must be provided in order to obtain certificates + from an ACME server. For more information, see: https://cert-manager.io/docs/configuration/acme/' + items: + description: Configures an issuer to solve challenges using + the specified options. Only one of HTTP01 or DNS01 may be + provided. + properties: + dns01: + description: Configures cert-manager to attempt to complete + authorizations by performing the DNS01 challenge flow. + properties: + acmeDNS: + description: Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) + API to manage DNS01 challenge records. + properties: + accountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: Use the Akamai DNS zone management API + to manage DNS01 challenge records. + properties: + accessTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientSecretSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + clientTokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azureDNS: + description: Use the Microsoft Azure DNS API to manage + DNS01 challenge records. + properties: + clientID: + description: if both this and ClientSecret are left + unset MSI will be used + type: string + clientSecretSecretRef: + description: if both this and ClientID are left + unset MSI will be used + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + description: when specifying ClientID and ClientSecret + then this field is also needed + type: string + required: + - resourceGroupName + - subscriptionID + type: object + cloudDNS: + description: Use the Google Cloud DNS API to manage + DNS01 challenge records. + properties: + hostedZoneName: + description: HostedZoneName is an optional field + that tells cert-manager in which Cloud DNS zone + the challenge record has to be created. If left + empty cert-manager will automatically choose a + zone. + type: string + project: + type: string + serviceAccountSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - project + type: object + cloudflare: + description: Use the Cloudflare API to manage DNS01 + challenge records. + properties: + apiKeySecretRef: + description: 'API key to use to authenticate with + Cloudflare. Note: using an API token to authenticate + is now the recommended method as it allows greater + control of permissions.' + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + apiTokenSecretRef: + description: API token used to authenticate with + Cloudflare. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + email: + description: Email of the account, only required + when using API key based authentication. + type: string + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 + provider should handle CNAME records when found in + DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: Use the DigitalOcean DNS API to manage + DNS01 challenge records. + properties: + tokenSecretRef: + description: A reference to a specific 'key' within + a Secret resource. In some instances, `key` is + a required field. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: Use RFC2136 ("Dynamic Updates in the Domain + Name System") (https://datatracker.ietf.org/doc/rfc2136/) + to manage DNS01 challenge records. + properties: + nameserver: + description: The IP address or hostname of an authoritative + DNS server supporting RFC2136 in the form host:port. + If the host is an IPv6 address it must be enclosed + in square brackets (e.g [2001:db8::1]) ; port + is optional. This field is required. + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` + and ``tsigKeyName`` are defined. Supported values + are (case-insensitive): ``HMACMD5`` (default), + ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.' + type: string + tsigKeyName: + description: The TSIG Key name configured in the + DNS. If ``tsigSecretSecretRef`` is defined, this + field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ``tsigKeyName`` is defined, this + field is required. + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: Use the AWS Route53 API to manage DNS01 + challenge records. + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: + https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup + using the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit + credentials AccessKeyID/SecretAccessKey or the + inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the entry in the Secret + resource's `data` field to be used. Some instances + of this field may be defaulted, in others + it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: Configure an external webhook based DNS01 + challenge solver to manage DNS01 challenge records. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON + data. Secret values should not be specified in + this stanza. If secret values are needed (e.g. + credentials for a DNS service), you should use + a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult + the webhook provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the + webhook apiserver. This should be the same as + the GroupName specified in the webhook provider + implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: Configures cert-manager to attempt to complete + authorizations by performing the HTTP01 challenge flow. + It is not possible to obtain certificates for wildcard + domain names (e.g. `*.example.com`) using the HTTP01 challenge + mechanism. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by + cert-manager for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' + or 'name' may be specified. + type: string + ingressTemplate: + description: Optional ingress template used to configure + the ACME challenge solver ingress used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the ingress + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the created ACME HTTP01 solver + ingress. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver ingress. + type: object + type: object + type: object + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress + controllers like ingress-gce, which maintains + a 1:1 mapping between external IPs and ingress + resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 + challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the + 'labels' and 'annotations' fields may be set. + If labels or annotations overlap with in-built + values, the values here will override the + in-built values. + properties: + annotations: + additionalProperties: + type: string + description: Annotations that should be + added to the create ACME HTTP01 solver + pods. + type: object + labels: + additionalProperties: + type: string + description: Labels that should be added + to the created ACME HTTP01 solver pods. + type: object + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'priorityClassName', + 'nodeSelector', 'affinity', 'serviceAccountName' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity + scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches + the corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all + objects with implicit weight + 0 (i.e. it's a no-op). A null + preferred scheduling term matches + no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to an + update), the system may or may + not try to eventually evict the + pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset + of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of + node selector requirements + by node's labels. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of + node selector requirements + by node's fields. + items: + description: A node + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: The + label key that + the selector applies + to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An + array of string + values. If the + operator is In + or NotIn, the + values array must + be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + If the operator + is Gt or Lt, the + values array must + have a single + element, which + will be interpreted + as an integer. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity + scheduling rules (e.g. co-locate this + pod in the same node, zone, etc. as + some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the affinity expressions + specified by this field, but it + may choose a node that violates + one or more of the expressions. + The node that is most preferred + is the one with the greatest sum + of weights, i.e. for each node + that meets all of the scheduling + requirements (resource request, + requiredDuringScheduling affinity + expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the + node. If the affinity requirements + specified by this field cease + to be met at some point during + pod execution (e.g. due to a pod + label update), the system may + or may not try to eventually evict + the pod from its node. When there + are multiple elements, the lists + of nodes corresponding to each + podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will + prefer to schedule pods to nodes + that satisfy the anti-affinity + expressions specified by this + field, but it may choose a node + that violates one or more of the + expressions. The node that is + most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and + adding "weight" to the sum if + the node has pods which matches + the corresponding podAffinityTerm; + the node(s) with the highest sum + are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to + find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector + that contains + values, a key, + and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents + a key's relationship + to a set of + values. Valid + operators + are In, NotIn, + Exists and + DoesNotExist. + type: string + values: + description: values + is an array + of string + values. If + the operator + is In or NotIn, + the values + array must + be non-empty. + If the operator + is Exists + or DoesNotExist, + the values + array must + be empty. + This array + is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single + {key,value} in the + matchLabels map + is equivalent to + an element of matchExpressions, + whose key field + is "key", the operator + is "In", and the + values array contains + only "value". The + requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod + should be co-located + (affinity) or not co-located + (anti-affinity) with + the pods matching the + labelSelector in the + specified namespaces, + where co-located is + defined as running on + a node whose value of + the label with key topologyKey + matches that of any + node on which any of + the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the + range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this + field are not met at scheduling + time, the pod will not be scheduled + onto the node. If the anti-affinity + requirements specified by this + field cease to be met at some + point during pod execution (e.g. + due to a pod label update), the + system may or may not try to eventually + evict the pod from its node. When + there are multiple elements, the + lists of nodes corresponding to + each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of + pods (namely those matching + the labelSelector relative to + the given namespace(s)) that + this pod should be co-located + (affinity) or not co-located + (anti-affinity) with, where + co-located is defined as running + on a node whose value of the + label with key + matches that of any node on + which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, a + key, and an operator + that relates the key + and values. + properties: + key: + description: key + is the label key + that the selector + applies to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values + is an array of + string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an + element of matchExpressions, + whose key field is "key", + the operator is "In", + and the values array + contains only "value". + The requirements are + ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on + a node whose value of the + label with key topologyKey + matches that of any node + on which any of the selected + pods is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector + which must be true for the pod to fit + on a node. Selector which must match a + node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priorityClassName: + description: If specified, the pod's priorityClassName. + type: string + serviceAccountName: + description: If specified, the pod's service + account + type: string + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that + matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the + taint effect to match. Empty means + match all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key + that the toleration applies to. + Empty means match all taint keys. + If the key is empty, operator must + be Exists; this combination means + to match all values and all keys. + type: string + operator: + description: Operator represents a + key's relationship to the value. + Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent + to wildcard for value, so that a + pod can tolerate all taints of a + particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) + tolerates the taint. By default, + it is not set, which means tolerate + the taint forever (do not evict). + Zero and negative values will be + treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + If not specified, the solver will be treated as the 'default' + solver with the lowest priority, i.e. if any other solver + has a more specific match, it will be used instead. + properties: + dnsNames: + description: List of DNSNames that this solver will + be used to solve. If specified and a match is found, + a dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same + dnsNames value, the solver with the most matching + labels in matchLabels will be selected. If neither + has more matches, the solver defined earlier in the + list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will + be used to solve. The most specific DNS zone match + specified here will take precedence over other DNS + zone matches, so a solver specifying sys.example.com + will be selected over one specifying example.com for + the domain www.sys.example.com. If multiple solvers + match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier + in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine + the set of certificate's that this challenge solver + will apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + description: CA configures this issuer to sign certificates using + a signing CA keypair stored in a Secret resource. This is used to + build internal PKIs that are managed by cert-manager. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set, + certificates will be issued without distribution points set. + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to sign + Certificates issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + description: SelfSigned configures this issuer to 'self sign' certificates + using the private key used to create the CertificateRequest object. + properties: + crlDistributionPoints: + description: The CRL distribution points is an X.509 v3 certificate + extension which identifies the location of the CRL from which + the revocation of this certificate can be checked. If not set + certificate will be issued without CDP. Values are strings. + items: + type: string + type: array + type: object + vault: + description: Vault configures this issuer to sign certificates using + a HashiCorp Vault PKI backend. + properties: + auth: + description: Auth configures how cert-manager authenticates with + the Vault server. + properties: + appRole: + description: AppRole authenticates with Vault using the App + Role auth mechanism, with the role and secret stored in + a Kubernetes Secret resource. + properties: + path: + description: 'Path where the App Role authentication backend + is mounted in Vault, e.g: "approle"' + type: string + roleId: + description: RoleID configured in the App Role authentication + backend when setting up the authentication backend in + Vault. + type: string + secretRef: + description: Reference to a key in a Secret that contains + the App Role secret used to authenticate with Vault. + The `key` field must be specified and denotes which + entry within the Secret resource is used as the app + role secret. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: Kubernetes authenticates with Vault by passing + the ServiceAccount token stored in the named Secret resource + to the Vault server. + properties: + mountPath: + description: The Vault mountPath here is the mount path + to use when authenticating with Vault. For example, + setting a value to `/v1/auth/foo`, will use the path + `/v1/auth/foo/login` to authenticate with Vault. If + unspecified, the default value "/v1/auth/kubernetes" + will be used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount + with a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this + field may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred + to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: TokenSecretRef authenticates with Vault by presenting + a token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + type: object + caBundle: + description: PEM encoded CA bundle used to validate Vault server + certificate. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + If not set the system root certificates are used to validate + the TLS connection. + format: byte + type: string + namespace: + description: 'Name of the vault namespace. Namespaces is a set + of features within Vault Enterprise that allows Vault environments + to support Secure Multi-tenancy. e.g: "ns1" More about namespaces + can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + type: string + path: + description: 'Path is the mount path of the Vault PKI backend''s + `sign` endpoint, e.g: "my_pki_mount/sign/my-role-name".' + type: string + server: + description: 'Server is the connection address for the Vault server, + e.g: "https://vault.example.com:8200".' + type: string + required: + - auth + - path + - server + type: object + venafi: + description: Venafi configures this issuer to sign certificates using + a Venafi TPP or Venafi Cloud policy zone. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the entry in the Secret resource's + `data` field to be used. Some instances of this field + may be defaulted, in others it may be required. + type: string + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud. Defaults + to "https://api.venafi.cloud/v1". + type: string + required: + - apiTokenSecretRef + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certificate to + use to verify connections to the TPP instance. If specified, + system roots will not be used and the issuing CA for the + TPP instance must be verifiable using the provided root. + If not specified, the connection will be verified using + the cert-manager system root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret + must contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the resource being referred to. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - name + type: object + url: + description: 'URL is the base URL for the vedsdk endpoint + of the Venafi TPP instance, for example: "https://tpp.example.com/vedsdk".' + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted + by the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: Status of the Issuer. This is set and managed automatically. + properties: + acme: + description: ACME specific status options. This field should only + be set if the Issuer is configured to use an ACME server to issue + certificates. + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with + the latest registered ACME account, in order to track changes + made to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + description: List of status conditions to indicate the status of a + CertificateRequest. Known condition types are `Ready`. + items: + description: IssuerCondition contains condition information for + an Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the + details of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation + for the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, known values are ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from-secret: cert-manager/cert-manager-webhook-ca + labels: + app: cert-manager + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/name: cert-manager + name: orders.acme.cert-manager.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + name: cert-manager-webhook + namespace: cert-manager + path: /convert + conversionReviewVersions: + - v1 + - v1beta1 + group: acme.cert-manager.io + names: + kind: Order + listKind: OrderList + plural: orders + singular: order + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + commonName: + description: CommonName is the common name as specified on the DER + encoded CSR. If specified, this value must also be present in `dnsNames` + or `ipAddresses`. This field must match the corresponding field + on the DER encoded CSR. + type: string + csr: + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + the order. + format: byte + type: string + dnsNames: + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. This field must match the + corresponding field on the DER encoded CSR. + items: + type: string + type: array + duration: + description: Duration is the duration for the not after date for the + requested certificate. this is set on order creation as pe the ACME + spec. + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses that should be + included as part of the Order validation process. This field must + match the corresponding field on the DER encoded CSR. + items: + type: string + type: array + issuerRef: + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Order. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Order will be + marked as failed. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + required: + - csr + - issuerRef + type: object + status: + properties: + authorizations: + description: Authorizations contains data returned from the ACME server + on what authorizations must be completed in order to validate the + DNS names specified on the Order. + items: + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + properties: + challenges: + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge + resource will be created to perform the ACME challenge process. + items: + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + properties: + token: + description: Token is the token that must be presented + for this challenge. This is used to compute the 'key' + that must also be presented. + type: string + type: + description: Type is the type of challenge being offered, + e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is + the raw value retrieved from the ACME server. Only 'http-01' + and 'dns-01' are supported by cert-manager, other values + will be ignored. + type: string + url: + description: URL is the URL of this challenge. It can + be used to retrieve additional metadata about the Challenge + from the ACME server. + type: string + required: + - token + - type + - url + type: object + type: array + identifier: + description: Identifier is the DNS name to be validated as part + of this authorization + type: string + initialState: + description: InitialState is the initial state of the ACME authorization + when first fetched from the ACME server. If an Authorization + is already 'valid', the Order controller will not create a + Challenge resource for the authorization. This will occur + when working with an ACME server that enables 'authz reuse' + (such as Let's Encrypt's production endpoint). If not set + and 'identifier' is set, the state is assumed to be pending + and a Challenge will be created. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL is the URL of the Authorization that must be + completed + type: string + wildcard: + description: Wildcard will be true if this authorization is + for a wildcard DNS name. If this is true, the identifier will + be the *non-wildcard* version of the DNS name. For example, + if '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + required: + - url + type: object + type: array + certificate: + description: Certificate is a copy of the PEM encoded certificate + for this Order. This field will be populated after the order has + been successfully finalized with the ACME server, and the order + has transitioned to the 'valid' state. + format: byte + type: string + failureTime: + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + format: date-time + type: string + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why + the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + type: string + type: object + required: + - metadata + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + commonName: + description: CommonName is the common name as specified on the DER + encoded CSR. If specified, this value must also be present in `dnsNames` + or `ipAddresses`. This field must match the corresponding field + on the DER encoded CSR. + type: string + csr: + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + the order. + format: byte + type: string + dnsNames: + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. This field must match the + corresponding field on the DER encoded CSR. + items: + type: string + type: array + duration: + description: Duration is the duration for the not after date for the + requested certificate. this is set on order creation as pe the ACME + spec. + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses that should be + included as part of the Order validation process. This field must + match the corresponding field on the DER encoded CSR. + items: + type: string + type: array + issuerRef: + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Order. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Order will be + marked as failed. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + required: + - csr + - issuerRef + type: object + status: + properties: + authorizations: + description: Authorizations contains data returned from the ACME server + on what authorizations must be completed in order to validate the + DNS names specified on the Order. + items: + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + properties: + challenges: + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge + resource will be created to perform the ACME challenge process. + items: + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + properties: + token: + description: Token is the token that must be presented + for this challenge. This is used to compute the 'key' + that must also be presented. + type: string + type: + description: Type is the type of challenge being offered, + e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is + the raw value retrieved from the ACME server. Only 'http-01' + and 'dns-01' are supported by cert-manager, other values + will be ignored. + type: string + url: + description: URL is the URL of this challenge. It can + be used to retrieve additional metadata about the Challenge + from the ACME server. + type: string + required: + - token + - type + - url + type: object + type: array + identifier: + description: Identifier is the DNS name to be validated as part + of this authorization + type: string + initialState: + description: InitialState is the initial state of the ACME authorization + when first fetched from the ACME server. If an Authorization + is already 'valid', the Order controller will not create a + Challenge resource for the authorization. This will occur + when working with an ACME server that enables 'authz reuse' + (such as Let's Encrypt's production endpoint). If not set + and 'identifier' is set, the state is assumed to be pending + and a Challenge will be created. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL is the URL of the Authorization that must be + completed + type: string + wildcard: + description: Wildcard will be true if this authorization is + for a wildcard DNS name. If this is true, the identifier will + be the *non-wildcard* version of the DNS name. For example, + if '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + required: + - url + type: object + type: array + certificate: + description: Certificate is a copy of the PEM encoded certificate + for this Order. This field will be populated after the order has + been successfully finalized with the ACME server, and the order + has transitioned to the 'valid' state. + format: byte + type: string + failureTime: + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + format: date-time + type: string + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why + the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + type: string + type: object + required: + - metadata + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + commonName: + description: CommonName is the common name as specified on the DER + encoded CSR. If specified, this value must also be present in `dnsNames` + or `ipAddresses`. This field must match the corresponding field + on the DER encoded CSR. + type: string + dnsNames: + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. This field must match the + corresponding field on the DER encoded CSR. + items: + type: string + type: array + duration: + description: Duration is the duration for the not after date for the + requested certificate. this is set on order creation as pe the ACME + spec. + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses that should be + included as part of the Order validation process. This field must + match the corresponding field on the DER encoded CSR. + items: + type: string + type: array + issuerRef: + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Order. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Order will be + marked as failed. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + request: + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + the order. + format: byte + type: string + required: + - issuerRef + - request + type: object + status: + properties: + authorizations: + description: Authorizations contains data returned from the ACME server + on what authorizations must be completed in order to validate the + DNS names specified on the Order. + items: + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + properties: + challenges: + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge + resource will be created to perform the ACME challenge process. + items: + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + properties: + token: + description: Token is the token that must be presented + for this challenge. This is used to compute the 'key' + that must also be presented. + type: string + type: + description: Type is the type of challenge being offered, + e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is + the raw value retrieved from the ACME server. Only 'http-01' + and 'dns-01' are supported by cert-manager, other values + will be ignored. + type: string + url: + description: URL is the URL of this challenge. It can + be used to retrieve additional metadata about the Challenge + from the ACME server. + type: string + required: + - token + - type + - url + type: object + type: array + identifier: + description: Identifier is the DNS name to be validated as part + of this authorization + type: string + initialState: + description: InitialState is the initial state of the ACME authorization + when first fetched from the ACME server. If an Authorization + is already 'valid', the Order controller will not create a + Challenge resource for the authorization. This will occur + when working with an ACME server that enables 'authz reuse' + (such as Let's Encrypt's production endpoint). If not set + and 'identifier' is set, the state is assumed to be pending + and a Challenge will be created. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL is the URL of the Authorization that must be + completed + type: string + wildcard: + description: Wildcard will be true if this authorization is + for a wildcard DNS name. If this is true, the identifier will + be the *non-wildcard* version of the DNS name. For example, + if '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + required: + - url + type: object + type: array + certificate: + description: Certificate is a copy of the PEM encoded certificate + for this Order. This field will be populated after the order has + been successfully finalized with the ACME server, and the order + has transitioned to the 'valid' state. + format: byte + type: string + failureTime: + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + format: date-time + type: string + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why + the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + - jsonPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - jsonPath: .status.reason + name: Reason + priority: 1 + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + commonName: + description: CommonName is the common name as specified on the DER + encoded CSR. If specified, this value must also be present in `dnsNames` + or `ipAddresses`. This field must match the corresponding field + on the DER encoded CSR. + type: string + dnsNames: + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. This field must match the + corresponding field on the DER encoded CSR. + items: + type: string + type: array + duration: + description: Duration is the duration for the not after date for the + requested certificate. this is set on order creation as pe the ACME + spec. + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses that should be + included as part of the Order validation process. This field must + match the corresponding field on the DER encoded CSR. + items: + type: string + type: array + issuerRef: + description: IssuerRef references a properly configured ACME-type + Issuer which should be used to create this Order. If the Issuer + does not exist, processing will be retried. If the Issuer is not + an 'ACME' Issuer, an error will be returned and the Order will be + marked as failed. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + request: + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + the order. + format: byte + type: string + required: + - issuerRef + - request + type: object + status: + properties: + authorizations: + description: Authorizations contains data returned from the ACME server + on what authorizations must be completed in order to validate the + DNS names specified on the Order. + items: + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + properties: + challenges: + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge + resource will be created to perform the ACME challenge process. + items: + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + properties: + token: + description: Token is the token that must be presented + for this challenge. This is used to compute the 'key' + that must also be presented. + type: string + type: + description: Type is the type of challenge being offered, + e.g. 'http-01', 'dns-01', 'tls-sni-01', etc. This is + the raw value retrieved from the ACME server. Only 'http-01' + and 'dns-01' are supported by cert-manager, other values + will be ignored. + type: string + url: + description: URL is the URL of this challenge. It can + be used to retrieve additional metadata about the Challenge + from the ACME server. + type: string + required: + - token + - type + - url + type: object + type: array + identifier: + description: Identifier is the DNS name to be validated as part + of this authorization + type: string + initialState: + description: InitialState is the initial state of the ACME authorization + when first fetched from the ACME server. If an Authorization + is already 'valid', the Order controller will not create a + Challenge resource for the authorization. This will occur + when working with an ACME server that enables 'authz reuse' + (such as Let's Encrypt's production endpoint). If not set + and 'identifier' is set, the state is assumed to be pending + and a Challenge will be created. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL is the URL of the Authorization that must be + completed + type: string + wildcard: + description: Wildcard will be true if this authorization is + for a wildcard DNS name. If this is true, the identifier will + be the *non-wildcard* version of the DNS name. For example, + if '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + required: + - url + type: object + type: array + certificate: + description: Certificate is a copy of the PEM encoded certificate + for this Order. This field will be populated after the order has + been successfully finalized with the ACME server, and the order + has transitioned to the 'valid' state. + format: byte + type: string + failureTime: + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + format: date-time + type: string + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why + the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + type: string + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + diff --git a/yaml/cert-manager/letsencrypt-production-clusterissuer.yaml b/yaml/cert-manager/letsencrypt-production-clusterissuer.yaml new file mode 100644 index 0000000..5422251 --- /dev/null +++ b/yaml/cert-manager/letsencrypt-production-clusterissuer.yaml @@ -0,0 +1,20 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + # The ACME server URL + server: https://acme-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: var_acme_email + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-sec-production + # Enable the HTTP-01 challenge provider + solvers: + # An empty 'selector' means that this solver matches all domains + - selector: {} + http01: + ingress: + class: nginx diff --git a/yaml/cert-manager/letsencrypt-production-dns-clusterissuer.yaml b/yaml/cert-manager/letsencrypt-production-dns-clusterissuer.yaml new file mode 100644 index 0000000..2f09993 --- /dev/null +++ b/yaml/cert-manager/letsencrypt-production-dns-clusterissuer.yaml @@ -0,0 +1,25 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production-dns +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: var_acme_email + + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-sec-production-dns + + # ACME DNS-01 provider configurations + solvers: + # An empty 'selector' means that this solver matches all domains + - selector: {} + dns01: + cloudflare: + email: var_acme_email + # !! Remember to first create a k8s secret + # kubectl create secret generic cloudflare-api-key-secret + apiKeySecretRef: + name: cf-api-secret + key: cf-api-key diff --git a/yaml/cert-manager/letsencrypt-staging-clusterissuer.yaml b/yaml/cert-manager/letsencrypt-staging-clusterissuer.yaml new file mode 100644 index 0000000..016afe9 --- /dev/null +++ b/yaml/cert-manager/letsencrypt-staging-clusterissuer.yaml @@ -0,0 +1,20 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + # The ACME server URL + server: https://acme-staging-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: var_acme_email + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-sec-staging + # Enable the HTTP-01 challenge provider + solvers: + # An empty 'selector' means that this solver matches all domains + - selector: {} + http01: + ingress: + class: nginx diff --git a/yaml/cert-manager/letsencrypt-staging-dns-clusterissuer.yaml b/yaml/cert-manager/letsencrypt-staging-dns-clusterissuer.yaml new file mode 100644 index 0000000..f63948d --- /dev/null +++ b/yaml/cert-manager/letsencrypt-staging-dns-clusterissuer.yaml @@ -0,0 +1,25 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging-dns +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: var_acme_email + + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-sec-staging-dns + + # ACME DNS-01 provider configurations + solvers: + # An empty 'selector' means that this solver matches all domains + - selector: {} + dns01: + cloudflare: + email: var_acme_email + # !! Remember to first create a k8s secret + # kubectl create secret generic cloudflare-api-key-secret + apiKeySecretRef: + name: cf-api-secret + key: cf-api-key diff --git a/yaml/cert-manager/values.yaml b/yaml/cert-manager/values.yaml new file mode 100644 index 0000000..f0c4900 --- /dev/null +++ b/yaml/cert-manager/values.yaml @@ -0,0 +1,354 @@ +# Default values for cert-manager. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +global: + ## Reference to one or more secrets to be used when pulling images + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + imagePullSecrets: [] + # - name: "image-pull-secret" + + # Optional priority class to be used for the cert-manager pods + priorityClassName: "" + rbac: + create: true + + podSecurityPolicy: + enabled: false + useAppArmor: true + + # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. + logLevel: 2 + + leaderElection: + # Override the namespace used to store the ConfigMap for leader election + namespace: "kube-system" + +installCRDs: false + +replicaCount: 1 + +strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + +# Comma separated list of feature gates that should be enabled on the +# controller pod. +featureGates: "" + +image: + repository: quay.io/jetstack/cert-manager-controller + # You can manage a registry with + # registry: quay.io + # repository: jetstack/cert-manager-controller + + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + + # Setting a digest will override any tag + # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + pullPolicy: IfNotPresent + +# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer +# resources. By default, the same namespace as cert-manager is deployed within is +# used. This namespace will not be automatically created by the Helm chart. +clusterResourceNamespace: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # annotations: {} + +# Optional additional arguments +extraArgs: [] + # Use this flag to set a namespace that cert-manager will use to store + # supporting resources required for each ClusterIssuer (default is kube-system) + # - --cluster-resource-namespace=kube-system + # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted + # - --enable-certificate-owner-ref=true + +extraEnv: [] +# - name: SOME_VAR +# value: 'some value' + +resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + +# Pod Security Context +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +securityContext: {} +# legacy securityContext parameter format: if enabled is set to true, only fsGroup and runAsUser are supported +# securityContext: +# enabled: false +# fsGroup: 1001 +# runAsUser: 1001 +# to support additional securityContext parameters, omit the `enabled` parameter and simply specify the parameters +# you want to set, e.g. +# securityContext: +# fsGroup: 1000 +# runAsUser: 1000 +# runAsNonRoot: true + +# Container Security Context to be set on the controller component container +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +containerSecurityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + + +volumes: [] + +volumeMounts: [] + +# Optional additional annotations to add to the controller Deployment +# deploymentAnnotations: {} + +# Optional additional annotations to add to the controller Pods +# podAnnotations: {} + +podLabels: {} + +# Optional DNS settings, useful if you have a public and private DNS zone for +# the same domain on Route 53. What follows is an example of ensuring +# cert-manager can access an ingress or DNS TXT records at all times. +# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for +# the cluster to work. +# podDnsPolicy: "None" +# podDnsConfig: +# nameservers: +# - "1.1.1.1" +# - "8.8.8.8" + +nodeSelector: {} + +ingressShim: {} + # defaultIssuerName: "" + # defaultIssuerKind: "" + # defaultIssuerGroup: "" + +prometheus: + enabled: true + servicemonitor: + enabled: false + prometheusInstance: default + targetPort: 9402 + path: /metrics + interval: 60s + scrapeTimeout: 30s + labels: {} + +# Use these variables to configure the HTTP_PROXY environment variables +# http_proxy: "http://proxy:8080" +# http_proxy: "http://proxy:8080" +# no_proxy: 127.0.0.1,localhost + +# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core +# for example: +# affinity: +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchExpressions: +# - key: foo.bar.com/role +# operator: In +# values: +# - master +affinity: {} + +# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core +# for example: +# tolerations: +# - key: foo.bar.com/role +# operator: Equal +# value: master +# effect: NoSchedule +tolerations: [] + +webhook: + replicaCount: 1 + timeoutSeconds: 10 + + strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + + securityContext: {} + + # Container Security Context to be set on the webhook component container + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + containerSecurityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + + # Optional additional annotations to add to the webhook Deployment + # deploymentAnnotations: {} + + # Optional additional annotations to add to the webhook Pods + # podAnnotations: {} + + # Optional additional annotations to add to the webhook MutatingWebhookConfiguration + # mutatingWebhookConfigurationAnnotations: {} + + # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + # validatingWebhookConfigurationAnnotations: {} + + # Optional additional arguments for webhook + extraArgs: [] + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + + nodeSelector: {} + + affinity: {} + + tolerations: [] + + # Optional additional labels to add to the Webhook Pods + podLabels: {} + + image: + repository: quay.io/jetstack/cert-manager-webhook + # You can manage a registry with + # registry: quay.io + # repository: jetstack/cert-manager-webhook + + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + + # Setting a digest will override any tag + # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + + pullPolicy: IfNotPresent + + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # annotations: {} + + # The port that the webhook should listen on for requests. + # In GKE private clusters, by default kubernetes apiservers are allowed to + # talk to the cluster nodes only on 443 and 10250. so configuring + # securePort: 10250, will work out of the box without needing to add firewall + # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 + securePort: 10260 + + # Specifies if the webhook should be started in hostNetwork mode. + # + # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom + # CNI (such as calico), because control-plane managed by AWS cannot communicate + # with pods' IP CIDR and admission webhooks are not working + # + # Since the default port for the webhook conflicts with kubelet on the host + # network, `webhook.securePort` should be changed to an available port if + # running in hostNetwork mode. + hostNetwork: true + +cainjector: + enabled: true + replicaCount: 1 + + strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 + + securityContext: {} + + # Container Security Context to be set on the cainjector component container + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + containerSecurityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + + + # Optional additional annotations to add to the cainjector Deployment + # deploymentAnnotations: {} + + # Optional additional annotations to add to the cainjector Pods + # podAnnotations: {} + + # Optional additional arguments for cainjector + extraArgs: [] + + resources: {} + # requests: + # cpu: 10m + # memory: 32Mi + + nodeSelector: {} + + affinity: {} + + tolerations: [] + + # Optional additional labels to add to the CA Injector Pods + podLabels: {} + + image: + repository: quay.io/jetstack/cert-manager-cainjector + # You can manage a registry with + # registry: quay.io + # repository: jetstack/cert-manager-cainjector + + # Override the image tag to deploy by setting this variable. + # If no value is set, the chart's appVersion will be used. + # tag: canary + + # Setting a digest will override any tag + # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + + pullPolicy: IfNotPresent + + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # annotations: {} diff --git a/yaml/ingress-nginx/old-values.yaml b/yaml/ingress-nginx/old-values.yaml new file mode 100644 index 0000000..8c4f1d2 --- /dev/null +++ b/yaml/ingress-nginx/old-values.yaml @@ -0,0 +1,738 @@ +## nginx configuration +## Ref: https://github.com/kubernetes/ingress-nginx/blob/master/controllers/nginx/configuration.md +## + +## Overrides for generated resource names +# See templates/_helpers.tpl +# nameOverride: +# fullnameOverride: + +controller: + name: controller + image: + repository: k8s.gcr.io/ingress-nginx/controller + tag: "v0.41.2" + digest: sha256:1f4f402b9c14f3ae92b11ada1dfe9893a88f0faeb0b2f4b903e2c67a0c3bf0de + pullPolicy: IfNotPresent + # www-data -> uid 101 + runAsUser: 101 + allowPrivilegeEscalation: true + + # Configures the ports the nginx-controller listens on + containerPort: + http: 80 + https: 443 + + # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ + #config: {} + config: + use-proxy-protocol: "false" + client-header-buffer-size: "8k" + large-client-header-buffers: "4 16k" + use-forwarded-headers: "true" + use-geoip: "true" + use-geoip2: "true" + + ## Annotations to be added to the controller config configuration configmap + ## + configAnnotations: {} + + # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers + #proxySetHeaders: {} + proxySetHeaders: + X-Country-Code: $geoip_country_code + + # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers + addHeaders: {} + + # Optionally customize the pod dnsConfig. + dnsConfig: {} + + # Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. + # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller + # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. + #dnsPolicy: ClusterFirst + dnsPolicy: ClusterFirstWithHostNet + + # Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network + # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply + reportNodeInternalIp: false + + # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), + # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 + # is merged + #hostNetwork: false + hostNetwork: true + + ## Use host ports 80 and 443 + ## Disabled by default + ## + hostPort: + enabled: false + ports: + http: 80 + https: 443 + + ## Election ID to use for status update + ## + electionID: ingress-controller-leader + + ## Name of the ingress class to route through this controller + ## + ingressClass: nginx + + # labels to add to the pod container metadata + podLabels: {} + # key: value + + ## Security Context policies for controller pods + ## + podSecurityContext: {} + + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ### + sysctls: {} + # sysctls: + # "net.core.somaxconn": "8192" + + ## Allows customization of the source of the IP address or FQDN to report + ## in the ingress status field. By default, it reads the information provided + ## by the service. If disable, the status field reports the IP address of the + ## node or nodes where an ingress controller pod is running. + publishService: + enabled: true + ## Allows overriding of the publish service to bind to + ## Must be / + ## + pathOverride: "" + + ## Limit the scope of the controller + ## + scope: + enabled: false + namespace: "" # defaults to .Release.Namespace + + ## Allows customization of the configmap / nginx-configmap namespace + ## + configMapNamespace: "" # defaults to .Release.Namespace + + ## Allows customization of the tcp-services-configmap + ## + tcp: + configMapNamespace: "" # defaults to .Release.Namespace + ## Annotations to be added to the tcp config configmap + annotations: {} + + ## Allows customization of the udp-services-configmap + ## + udp: + configMapNamespace: "" # defaults to .Release.Namespace + ## Annotations to be added to the udp config configmap + annotations: {} + + # Maxmind license key to download GeoLite2 Databases + # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases + maxmindLicenseKey: "" + + ## Additional command line arguments to pass to nginx-ingress-controller + ## E.g. to specify the default SSL certificate you can use + ## extraArgs: + ## default-ssl-certificate: "/" + extraArgs: {} + + ## Additional environment variables to set + extraEnvs: [] + # extraEnvs: + # - name: FOO + # valueFrom: + # secretKeyRef: + # key: FOO + # name: secret-resource + + ## DaemonSet or Deployment + ## + #kind: Deployment + kind: DaemonSet + + ## Annotations to be added to the controller Deployment or DaemonSet + ## + annotations: {} + # keel.sh/pollSchedule: "@every 60m" + + ## Labels to be added to the controller Deployment or DaemonSet + ## + labels: {} + # keel.sh/policy: patch + # keel.sh/trigger: poll + + + # The update strategy to apply to the Deployment or DaemonSet + ## + updateStrategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate + + # minReadySeconds to avoid killing pods before we are ready + ## + minReadySeconds: 0 + + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Affinity and anti-affinity + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + # # An example of preferred pod anti-affinity, weight is in the range 1-100 + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 100 + # podAffinityTerm: + # labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller + # topologyKey: kubernetes.io/hostname + + # # An example of required pod anti-affinity + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller + # topologyKey: "kubernetes.io/hostname" + + ## Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: ingress-nginx-internal + + ## terminationGracePeriodSeconds + ## wait up to five minutes for the drain of connections + ## + terminationGracePeriodSeconds: 300 + + ## Node labels for controller pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: + kubernetes.io/os: linux + + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + livenessProbe: + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + port: 10254 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + port: 10254 + + # Path of the health check endpoint. All requests received on the port defined by + # the healthz-port parameter are forwarded internally to this path. + healthCheckPath: "/healthz" + + ## Annotations to be added to controller pods + ## + podAnnotations: {} + + replicaCount: 1 + + minAvailable: 1 + + # Define requests resources to avoid probe issues due to CPU utilization in busy nodes + # ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 + # Ideally, there should be no limits. + # https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ + resources: + # limits: + # cpu: 100m + # memory: 90Mi + requests: + cpu: 100m + memory: 90Mi + + # Mutually exclusive with keda autoscaling + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + + autoscalingTemplate: [] + # Custom or additional autoscaling metrics + # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics + # - type: Pods + # pods: + # metric: + # name: nginx_ingress_controller_nginx_process_requests_total + # target: + # type: AverageValue + # averageValue: 10000m + + # Mutually exclusive with hpa autoscaling + keda: + apiVersion: "keda.sh/v1alpha1" + # apiVersion changes with keda 1.x vs 2.x + # 2.x = keda.sh/v1alpha1 + # 1.x = keda.k8s.io/v1alpha1 + enabled: false + minReplicas: 1 + maxReplicas: 11 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: http_requests_total + # threshold: '100' + # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + ## Enable mimalloc as a drop-in replacement for malloc. + ## ref: https://github.com/microsoft/mimalloc + ## + enableMimalloc: true + + ## Override NGINX template + customTemplate: + configMapName: "" + configMapKey: "" + + service: + enabled: true + + annotations: {} + labels: {} + # clusterIP: "" + + ## List of IP addresses at which the controller services are available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + + enableHttp: true + enableHttps: true + + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + + # Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + # sessionAffinity: "" + + # specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, + # the service controller allocates a port from your cluster’s NodePort range. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # healthCheckNodePort: 0 + + ports: + http: 80 + https: 443 + + targetPorts: + http: http + https: https + + #type: LoadBalancer + + type: NodePort + # nodePorts: + # http: 32080 + # https: 32443 + # tcp: + # 8080: 32808 + nodePorts: + http: "" + https: "" + tcp: {} + udp: {} + + ## Enables an additional internal load balancer (besides the external one). + ## Annotations are mandatory for the load balancer to come up. Varies with the cloud service. + internal: + enabled: false + annotations: {} + + ## Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. + loadBalancerSourceRanges: [] + + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + + extraContainers: [] + ## Additional containers to be added to the controller pod. + ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. + # - name: my-sidecar + # image: nginx:latest + # - name: lemonldap-ng-controller + # image: lemonldapng/lemonldap-ng-controller:0.2.0 + # args: + # - /lemonldap-ng-controller + # - --alsologtostderr + # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration + # env: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: POD_NAMESPACE + # valueFrom: + # fieldRef: + # fieldPath: metadata.namespace + # volumeMounts: + # - name: copy-portal-skins + # mountPath: /srv/var/lib/lemonldap-ng/portal/skins + + extraVolumeMounts: [] + ## Additional volumeMounts to the controller main container. + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins + + extraVolumes: [] + ## Additional volumes to the controller pod. + # - name: copy-portal-skins + # emptyDir: {} + + extraInitContainers: [] + ## Containers, which are run before the app containers are started. + # - name: init-myservice + # image: busybox + # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + + admissionWebhooks: + annotations: {} + enabled: true + failurePolicy: Fail + # timeoutSeconds: 10 + port: 8443 + certificate: "/usr/local/certificates/cert" + key: "/usr/local/certificates/key" + namespaceSelector: {} + objectSelector: {} + + service: + annotations: {} + # clusterIP: "" + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 443 + type: ClusterIP + + patch: + enabled: true + image: + repository: docker.io/jettech/kube-webhook-certgen + tag: v1.5.0 + pullPolicy: IfNotPresent + ## Provide a priority class name to the webhook patching job + ## + priorityClassName: "" + podAnnotations: {} + nodeSelector: {} + tolerations: [] + runAsUser: 2000 + + metrics: + port: 10254 + # if this port is changed, change healthz-port: in extraArgs: accordingly + enabled: false + + service: + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: "10254" + + # clusterIP: "" + + ## List of IP addresses at which the stats-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9913 + type: ClusterIP + # externalTrafficPolicy: "" + # nodePort: "" + + serviceMonitor: + enabled: false + additionalLabels: {} + namespace: "" + namespaceSelector: {} + # Default: scrape .Release.Namespace only + # To scrape all, use the following: + # namespaceSelector: + # any: true + scrapeInterval: 30s + # honorLabels: true + targetLabels: [] + metricRelabelings: [] + + prometheusRule: + enabled: false + additionalLabels: {} + # namespace: "" + rules: [] + # # These are just examples rules, please adapt them to your needs + # - alert: NGINXConfigFailed + # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: bad ingress config - nginx config test failed + # summary: uninstall the latest ingress changes to allow config reloads to resume + # - alert: NGINXCertificateExpiry + # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: ssl certificate(s) will expire in less then a week + # summary: renew expiring certificates to avoid downtime + # - alert: NGINXTooMany500s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 5XXs + # summary: More than 5% of all requests returned 5XX, this requires your attention + # - alert: NGINXTooMany400s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 4XXs + # summary: More than 5% of all requests returned 4XX, this requires your attention + + ## Improve connection draining when ingress controller pod is deleted using a lifecycle hook: + ## With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds + ## to 300, allowing the draining of connections up to five minutes. + ## If the active connections end before that, the pod will terminate gracefully at that time. + ## To effectively take advantage of this feature, the Configmap feature + ## worker-shutdown-timeout new value is 240s instead of 10s. + ## + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + + priorityClassName: "" + +## Rollback limit +## +revisionHistoryLimit: 10 + +## Default 404 backend +## +defaultBackend: + ## + enabled: false + + name: defaultbackend + image: + repository: k8s.gcr.io/defaultbackend-amd64 + tag: "1.5" + pullPolicy: IfNotPresent + # nobody user -> uid 65534 + runAsUser: 65534 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + + extraArgs: {} + + serviceAccount: + create: true + name: + ## Additional environment variables to set for defaultBackend pods + extraEnvs: [] + + port: 8080 + + ## Readiness and liveness probes for default backend + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 0 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + affinity: {} + + ## Security Context policies for controller pods + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ## + podSecurityContext: {} + + # labels to add to the pod container metadata + podLabels: {} + # key: value + + ## Node labels for default backend pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to default backend pods + ## + podAnnotations: {} + + replicaCount: 1 + + minAvailable: 1 + + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + + service: + annotations: {} + + # clusterIP: "" + + ## List of IP addresses at which the default backend service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + type: ClusterIP + + priorityClassName: "" + +## Enable RBAC as per https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266 +rbac: + create: true + scope: false + +# If true, create & use Pod Security Policy resources +# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +podSecurityPolicy: + enabled: false + +serviceAccount: + create: true + name: + +## Optional array of imagePullSecrets containing private registry credentials +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: secretName + +# TCP service key:value pairs +# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tcp +## +tcp: {} +# 8080: "default/example-tcp-svc:9000" + +# UDP service key:value pairs +# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/udp +## +udp: {} +# 53: "kube-system/kube-dns:53" diff --git a/yaml/ingress-nginx/values.yaml b/yaml/ingress-nginx/values.yaml new file mode 100644 index 0000000..81693de --- /dev/null +++ b/yaml/ingress-nginx/values.yaml @@ -0,0 +1,820 @@ +## nginx configuration +## Ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/index.md +## + +## Overrides for generated resource names +# See templates/_helpers.tpl +# nameOverride: +# fullnameOverride: + +controller: + name: controller + image: + registry: k8s.gcr.io + image: ingress-nginx/controller + # for backwards compatibility consider setting the full image url via the repository value below + # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + # repository: + tag: "v0.47.0" + digest: sha256:a1e4efc107be0bb78f32eaec37bef17d7a0c81bec8066cdf2572508d21351d0b + pullPolicy: IfNotPresent + # www-data -> uid 101 + runAsUser: 101 + allowPrivilegeEscalation: true + + # Use an existing PSP instead of creating one + existingPsp: "" + + # Configures the controller container name + containerName: controller + + # Configures the ports the nginx-controller listens on + containerPort: + http: 80 + https: 443 + + # Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/ + #config: {} + config: + use-proxy-protocol: "false" + client-header-buffer-size: "8k" + large-client-header-buffers: "4 16k" + use-forwarded-headers: "true" + use-geoip: "false" + use-geoip2: "true" + + ## Annotations to be added to the controller config configuration configmap + ## + configAnnotations: {} + + # Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/customization/custom-headers + #proxySetHeaders: {} + proxySetHeaders: + X-Country-Code: $geoip2_city_country_code + + # Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers + addHeaders: {} + + # Optionally customize the pod dnsConfig. + dnsConfig: {} + + # Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'. + # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller + # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet. + dnsPolicy: ClusterFirst + #dnsPolicy: ClusterFirstWithHostNet + + # Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network + # Ingress status was blank because there is no Service exposing the NGINX Ingress controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply + reportNodeInternalIp: false + + # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm), + # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920 + # is merged + hostNetwork: false + #hostNetwork: true + + ## Use host ports 80 and 443 + ## Disabled by default + ## + hostPort: + enabled: false + ports: + http: 80 + https: 443 + + ## Election ID to use for status update + ## + electionID: ingress-controller-leader + + ## Name of the ingress class to route through this controller + ## + ingressClass: nginx + + # This section refers to the creation of the IngressClass resource + # IngressClass resources are supported since k8s >= 1.18 + ingressClassResource: + enabled: false + default: false + + # Parameters is a link to a custom resource containing additional + # configuration for the controller. This is optional if the controller + # does not require extra parameters. + parameters: {} + + # labels to add to the pod container metadata + podLabels: {} + # key: value + + ## Security Context policies for controller pods + ## + podSecurityContext: {} + + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ### + sysctls: {} + # sysctls: + # "net.core.somaxconn": "8192" + + ## Allows customization of the source of the IP address or FQDN to report + ## in the ingress status field. By default, it reads the information provided + ## by the service. If disable, the status field reports the IP address of the + ## node or nodes where an ingress controller pod is running. + publishService: + enabled: true + ## Allows overriding of the publish service to bind to + ## Must be / + ## + pathOverride: "" + + ## Limit the scope of the controller + ## + scope: + enabled: false + namespace: "" # defaults to .Release.Namespace + + ## Allows customization of the configmap / nginx-configmap namespace + ## + configMapNamespace: "" # defaults to .Release.Namespace + + ## Allows customization of the tcp-services-configmap + ## + tcp: + configMapNamespace: "" # defaults to .Release.Namespace + ## Annotations to be added to the tcp config configmap + annotations: {} + + ## Allows customization of the udp-services-configmap + ## + udp: + configMapNamespace: "" # defaults to .Release.Namespace + ## Annotations to be added to the udp config configmap + annotations: {} + + # Maxmind license key to download GeoLite2 Databases + # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases + maxmindLicenseKey: "" + + ## Additional command line arguments to pass to nginx-ingress-controller + ## E.g. to specify the default SSL certificate you can use + ## extraArgs: + ## default-ssl-certificate: "/" + extraArgs: {} + + ## Additional environment variables to set + extraEnvs: [] + # extraEnvs: + # - name: FOO + # valueFrom: + # secretKeyRef: + # key: FOO + # name: secret-resource + + ## DaemonSet or Deployment + ## + #kind: Deployment + kind: DaemonSet + + ## Annotations to be added to the controller Deployment or DaemonSet + ## + annotations: {} + # keel.sh/pollSchedule: "@every 60m" + + ## Labels to be added to the controller Deployment or DaemonSet + ## + labels: {} + # keel.sh/policy: patch + # keel.sh/trigger: poll + + + # The update strategy to apply to the Deployment or DaemonSet + ## + updateStrategy: {} + # rollingUpdate: + # maxUnavailable: 1 + # type: RollingUpdate + + # minReadySeconds to avoid killing pods before we are ready + ## + minReadySeconds: 0 + + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Affinity and anti-affinity + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + # # An example of preferred pod anti-affinity, weight is in the range 1-100 + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 100 + # podAffinityTerm: + # labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller + # topologyKey: kubernetes.io/hostname + + # # An example of required pod anti-affinity + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller + # topologyKey: "kubernetes.io/hostname" + + ## Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: ingress-nginx-internal + + ## terminationGracePeriodSeconds + ## wait up to five minutes for the drain of connections + ## + terminationGracePeriodSeconds: 300 + + ## Node labels for controller pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: + kubernetes.io/os: linux + + ## Liveness and readiness probe values + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + # startupProbe: + # httpGet: + # # should match container.healthCheckPath + # path: "/healthz" + # port: 10254 + # scheme: HTTP + # initialDelaySeconds: 5 + # periodSeconds: 5 + # timeoutSeconds: 2 + # successThreshold: 1 + # failureThreshold: 5 + livenessProbe: + httpGet: + # should match container.healthCheckPath + path: "/healthz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + httpGet: + # should match container.healthCheckPath + path: "/healthz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + + + # Path of the health check endpoint. All requests received on the port defined by + # the healthz-port parameter are forwarded internally to this path. + healthCheckPath: "/healthz" + + ## Annotations to be added to controller pods + ## + podAnnotations: {} + + replicaCount: 1 + + minAvailable: 1 + + # Define requests resources to avoid probe issues due to CPU utilization in busy nodes + # ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903 + # Ideally, there should be no limits. + # https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/ + resources: + # limits: + # cpu: 100m + # memory: 90Mi + requests: + cpu: 100m + memory: 90Mi + + # Mutually exclusive with keda autoscaling + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + + autoscalingTemplate: [] + # Custom or additional autoscaling metrics + # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics + # - type: Pods + # pods: + # metric: + # name: nginx_ingress_controller_nginx_process_requests_total + # target: + # type: AverageValue + # averageValue: 10000m + + # Mutually exclusive with hpa autoscaling + keda: + apiVersion: "keda.sh/v1alpha1" + # apiVersion changes with keda 1.x vs 2.x + # 2.x = keda.sh/v1alpha1 + # 1.x = keda.k8s.io/v1alpha1 + enabled: false + minReplicas: 1 + maxReplicas: 11 + pollingInterval: 30 + cooldownPeriod: 300 + restoreToOriginalReplicaCount: false + scaledObject: + annotations: {} + # Custom annotations for ScaledObject resource + # annotations: + # key: value + triggers: [] + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: http_requests_total + # threshold: '100' + # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 + + ## Enable mimalloc as a drop-in replacement for malloc. + ## ref: https://github.com/microsoft/mimalloc + ## + enableMimalloc: true + + ## Override NGINX template + customTemplate: + configMapName: "" + configMapKey: "" + + service: + enabled: true + + annotations: {} + labels: {} + # clusterIP: "" + + ## List of IP addresses at which the controller services are available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + + enableHttp: true + enableHttps: true + + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + + # Must be either "None" or "ClientIP" if set. Kubernetes will default to "None". + # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + # sessionAffinity: "" + + # specifies the health check node port (numeric port number) for the service. If healthCheckNodePort isn’t specified, + # the service controller allocates a port from your cluster’s NodePort range. + # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + # healthCheckNodePort: 0 + + ports: + http: 80 + https: 443 + + targetPorts: + http: http + https: https + + #type: LoadBalancer + + type: NodePort + # nodePorts: + # http: 32080 + # https: 32443 + # tcp: + # 8080: 32808 + nodePorts: + http: "" + https: "" + tcp: {} + udp: {} + + ## Enables an additional internal load balancer (besides the external one). + ## Annotations are mandatory for the load balancer to come up. Varies with the cloud service. + internal: + enabled: false + annotations: {} + + # loadBalancerIP: "" + + ## Restrict access For LoadBalancer service. Defaults to 0.0.0.0/0. + loadBalancerSourceRanges: [] + + ## Set external traffic policy to: "Local" to preserve source IP on + ## providers supporting it + ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer + # externalTrafficPolicy: "" + + extraContainers: [] + ## Additional containers to be added to the controller pod. + ## See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example. + # - name: my-sidecar + # image: nginx:latest + # - name: lemonldap-ng-controller + # image: lemonldapng/lemonldap-ng-controller:0.2.0 + # args: + # - /lemonldap-ng-controller + # - --alsologtostderr + # - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration + # env: + # - name: POD_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.name + # - name: POD_NAMESPACE + # valueFrom: + # fieldRef: + # fieldPath: metadata.namespace + # volumeMounts: + # - name: copy-portal-skins + # mountPath: /srv/var/lib/lemonldap-ng/portal/skins + + extraVolumeMounts: [] + ## Additional volumeMounts to the controller main container. + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins + + extraVolumes: [] + ## Additional volumes to the controller pod. + # - name: copy-portal-skins + # emptyDir: {} + + extraInitContainers: [] + ## Containers, which are run before the app containers are started. + # - name: init-myservice + # image: busybox + # command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;'] + + admissionWebhooks: + annotations: {} + enabled: true + failurePolicy: Fail + timeoutSeconds: 30 + port: 8443 + certificate: "/usr/local/certificates/cert" + key: "/usr/local/certificates/key" + namespaceSelector: {} + objectSelector: {} + + # Use an existing PSP instead of creating one + existingPsp: "" + + service: + annotations: {} + # clusterIP: "" + externalIPs: [] + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 443 + type: ClusterIP + + patch: + enabled: true + image: + registry: docker.io + image: jettech/kube-webhook-certgen + # for backwards compatibility consider setting the full image url via the repository value below + # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + # repository: + tag: v1.5.1 + pullPolicy: IfNotPresent + ## Provide a priority class name to the webhook patching job + ## + priorityClassName: "" + podAnnotations: {} + nodeSelector: {} + tolerations: [] + runAsUser: 2000 + + metrics: + port: 10254 + # if this port is changed, change healthz-port: in extraArgs: accordingly + enabled: false + + service: + annotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: "10254" + + # clusterIP: "" + + ## List of IP addresses at which the stats-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 10254 + type: ClusterIP + # externalTrafficPolicy: "" + # nodePort: "" + + serviceMonitor: + enabled: false + additionalLabels: {} + # The label to use to retrieve the job name from. + # jobLabel: "app.kubernetes.io/name" + namespace: "" + namespaceSelector: {} + # Default: scrape .Release.Namespace only + # To scrape all, use the following: + # namespaceSelector: + # any: true + scrapeInterval: 30s + # honorLabels: true + targetLabels: [] + metricRelabelings: [] + + prometheusRule: + enabled: false + additionalLabels: {} + # namespace: "" + rules: [] + # # These are just examples rules, please adapt them to your needs + # - alert: NGINXConfigFailed + # expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: bad ingress config - nginx config test failed + # summary: uninstall the latest ingress changes to allow config reloads to resume + # - alert: NGINXCertificateExpiry + # expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds) by (host) - time()) < 604800 + # for: 1s + # labels: + # severity: critical + # annotations: + # description: ssl certificate(s) will expire in less then a week + # summary: renew expiring certificates to avoid downtime + # - alert: NGINXTooMany500s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 5XXs + # summary: More than 5% of all requests returned 5XX, this requires your attention + # - alert: NGINXTooMany400s + # expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5 + # for: 1m + # labels: + # severity: warning + # annotations: + # description: Too many 4XXs + # summary: More than 5% of all requests returned 4XX, this requires your attention + + ## Improve connection draining when ingress controller pod is deleted using a lifecycle hook: + ## With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds + ## to 300, allowing the draining of connections up to five minutes. + ## If the active connections end before that, the pod will terminate gracefully at that time. + ## To effectively take advantage of this feature, the Configmap feature + ## worker-shutdown-timeout new value is 240s instead of 10s. + ## + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + + priorityClassName: "" + +## Rollback limit +## +revisionHistoryLimit: 10 + +## Default 404 backend +## +defaultBackend: + ## + enabled: false + + name: defaultbackend + image: + registry: k8s.gcr.io + image: defaultbackend-amd64 + # for backwards compatibility consider setting the full image url via the repository value below + # use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail + # repository: + tag: "1.5" + pullPolicy: IfNotPresent + # nobody user -> uid 65534 + runAsUser: 65534 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + + # Use an existing PSP instead of creating one + existingPsp: "" + + extraArgs: {} + + serviceAccount: + create: true + name: "" + automountServiceAccountToken: true + ## Additional environment variables to set for defaultBackend pods + extraEnvs: [] + + port: 8080 + + ## Readiness and liveness probes for default backend + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + ## + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 6 + initialDelaySeconds: 0 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + affinity: {} + + ## Security Context policies for controller pods + ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for + ## notes on enabling and using sysctls + ## + podSecurityContext: {} + + # labels to add to the pod container metadata + podLabels: {} + # key: value + + ## Node labels for default backend pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to default backend pods + ## + podAnnotations: {} + + replicaCount: 1 + + minAvailable: 1 + + resources: {} + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi + + extraVolumeMounts: [] + ## Additional volumeMounts to the default backend container. + # - name: copy-portal-skins + # mountPath: /var/lib/lemonldap-ng/portal/skins + + extraVolumes: [] + ## Additional volumes to the default backend pod. + # - name: copy-portal-skins + # emptyDir: {} + + autoscaling: + annotations: {} + enabled: false + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + + service: + annotations: {} + + # clusterIP: "" + + ## List of IP addresses at which the default backend service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + # loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + type: ClusterIP + + priorityClassName: "" + +## Enable RBAC as per https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266 +rbac: + create: true + scope: false + +# If true, create & use Pod Security Policy resources +# https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +podSecurityPolicy: + enabled: false + +serviceAccount: + create: true + name: "" + automountServiceAccountToken: true + +## Optional array of imagePullSecrets containing private registry credentials +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: secretName + +# TCP service key:value pairs +# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/tcp +## +tcp: {} +# 8080: "default/example-tcp-svc:9000" + +# UDP service key:value pairs +# Ref: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx/examples/udp +## +udp: {} +# 53: "kube-system/kube-dns:53" + +# A base64ed Diffie-Hellman parameter +# This can be generated with: openssl dhparam 4096 2> /dev/null | base64 +# Ref: https://github.com/krmichel/ingress-nginx/blob/master/docs/examples/customization/ssl-dh-param +dhParam: diff --git a/yaml/monitoring/grafana-cert.yaml b/yaml/monitoring/grafana-cert.yaml new file mode 100644 index 0000000..46322a4 --- /dev/null +++ b/yaml/monitoring/grafana-cert.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: grafana-cert + namespace: monitoring +spec: + secretName: grafana-tls + issuerRef: + name: letsencrypt-production-dns + kind: ClusterIssuer + commonName: 'grafana.${CLUSTER_DOMAIN}' + dnsNames: + - 'grafana.${CLUSTER_DOMAIN}' + privateKey: + algorithm: ECDSA diff --git a/yaml/monitoring/grafana-ingress-secure.yaml b/yaml/monitoring/grafana-ingress-secure.yaml new file mode 100644 index 0000000..4295944 --- /dev/null +++ b/yaml/monitoring/grafana-ingress-secure.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grafana + annotations: + kubernetes.io/ingress.class: nginx +spec: + rules: + - host: grafana.${CLUSTER_DOMAIN} + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: grafana + port: + number: 80 + tls: + - secretName: grafana-tls + hosts: + - grafana.${CLUSTER_DOMAIN} diff --git a/yaml/monitoring/grafana-ingress.yaml b/yaml/monitoring/grafana-ingress.yaml new file mode 100644 index 0000000..6b88dd7 --- /dev/null +++ b/yaml/monitoring/grafana-ingress.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grafana + annotations: + kubernetes.io/ingress.class: nginx +spec: + rules: + - host: grafana.${CLUSTER_DOMAIN} + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: grafana + port: + number: 80 \ No newline at end of file diff --git a/yaml/monitoring/grafana-values.yaml b/yaml/monitoring/grafana-values.yaml new file mode 100644 index 0000000..d98e890 --- /dev/null +++ b/yaml/monitoring/grafana-values.yaml @@ -0,0 +1,752 @@ +rbac: + create: true + ## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true) + # useExistingRole: name-of-some-(cluster)role + pspEnabled: true + pspUseAppArmor: true + namespaced: false + extraRoleRules: [] + # - apiGroups: [] + # resources: [] + # verbs: [] + extraClusterRoleRules: [] + # - apiGroups: [] + # resources: [] + # verbs: [] +serviceAccount: + create: true + name: + nameTest: +# annotations: +# eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here + +replicas: 1 + +## Create HorizontalPodAutoscaler object for deployment type +# +autoscaling: + enabled: false +# minReplicas: 1 +# maxReplicas: 10 +# metrics: +# - type: Resource +# resource: +# name: cpu +# targetAverageUtilization: 60 +# - type: Resource +# resource: +# name: memory +# targetAverageUtilization: 60 + +## See `kubectl explain poddisruptionbudget.spec` for more +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +podDisruptionBudget: {} +# minAvailable: 1 +# maxUnavailable: 1 + +## See `kubectl explain deployment.spec.strategy` for more +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +deploymentStrategy: + type: RollingUpdate + +readinessProbe: + httpGet: + path: /api/health + port: 3000 + +livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 60 + timeoutSeconds: 30 + failureThreshold: 10 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: "default-scheduler" + +image: + repository: grafana/grafana + tag: 8.0.0 + sha: "" + pullPolicy: IfNotPresent + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistrKeySecretName + +testFramework: + enabled: true + image: "bats/bats" + tag: "v1.1.0" + imagePullPolicy: IfNotPresent + securityContext: {} + +securityContext: + runAsUser: 472 + runAsGroup: 472 + fsGroup: 472 + +containerSecurityContext: + {} + +extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /etc/grafana/ssl/ + # subPath: certificates.crt # (optional) + # configMap: certs-configmap + # readOnly: true + + +extraEmptyDirMounts: [] + # - name: provisioning-notifiers + # mountPath: /etc/grafana/provisioning/notifiers + + +# Apply extra labels to common labels. +extraLabels: {} + +## Assign a PriorityClassName to pods if set +# priorityClassName: + +downloadDashboardsImage: + repository: curlimages/curl + tag: 7.73.0 + sha: "" + pullPolicy: IfNotPresent + +downloadDashboards: + env: {} + envFromSecret: "" + resources: {} + +## Pod Annotations +# podAnnotations: {} + +## Pod Labels +# podLabels: {} + +podPortName: grafana + +## Deployment annotations +# annotations: {} + +## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service). +## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. +## ref: http://kubernetes.io/docs/user-guide/services/ +## +service: + enabled: true + type: ClusterIP + port: 80 + targetPort: 3000 + # targetPort: 4181 To be used with a proxy extraContainer + annotations: {} + labels: {} + portName: service + +serviceMonitor: + ## If true, a ServiceMonitor CRD is created for a prometheus operator + ## https://github.com/coreos/prometheus-operator + ## + enabled: false + path: /metrics + # namespace: monitoring (defaults to use the namespace this chart is deployed to) + labels: {} + interval: 1m + scheme: http + tlsConfig: {} + scrapeTimeout: 30s + relabelings: [] + +extraExposePorts: [] + # - name: keycloak + # port: 8080 + # targetPort: 8080 + # type: ClusterIP + +# overrides pod.spec.hostAliases in the grafana deployment's pods +hostAliases: [] + # - ip: "1.2.3.4" + # hostnames: + # - "my.host.com" + +ingress: + enabled: false + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # Values can be templated + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + path: / + + # pathType is only for k8s > 1.19 + pathType: Prefix + + hosts: + - chart-example.local + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + ## Or for k8s > 1.19 + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: service + + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + +## Node labels for pod assignment +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +# +nodeSelector: {} + +## Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + +## Affinity for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} + +extraInitContainers: [] + +## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod +extraContainers: | +# - name: proxy +# image: quay.io/gambol99/keycloak-proxy:latest +# args: +# - -provider=github +# - -client-id= +# - -client-secret= +# - -github-org= +# - -email-domain=* +# - -cookie-secret= +# - -http-address=http://0.0.0.0:4181 +# - -upstream-url=http://127.0.0.1:3000 +# ports: +# - name: proxy-web +# containerPort: 4181 + +## Volumes that can be used in init containers that will not be mounted to deployment pods +extraContainerVolumes: [] +# - name: volume-from-secret +# secret: +# secretName: secret-to-mount +# - name: empty-dir-volume +# emptyDir: {} + +## Enable persistence using Persistent Volume Claims +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + type: pvc + enabled: true + # storageClassName: default + accessModes: + - ReadWriteOnce + size: 8Gi + # annotations: {} + finalizers: + - kubernetes.io/pvc-protection + # selectorLabels: {} + subPath: "" + existingClaim: "monitoring-grafana-data" + + ## If persistence is not enabled, this allows to mount the + ## local storage in-memory to improve performance + ## + inMemory: + enabled: false + ## The maximum usage on memory medium EmptyDir would be + ## the minimum value between the SizeLimit specified + ## here and the sum of memory limits of all containers in a pod + ## + # sizeLimit: 300Mi + +initChownData: + ## If false, data ownership will not be reset at startup + ## This allows the prometheus-server to be run with an arbitrary user + ## + enabled: true + + ## initChownData container image + ## + image: + repository: busybox + tag: "1.31.1" + sha: "" + pullPolicy: IfNotPresent + + ## initChownData resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + +# Administrator credentials when not using an existing secret (see below) +adminUser: admin +# adminPassword: strongpassword + +# Use an existing secret for the admin user. +admin: + existingSecret: "" + userKey: admin-user + passwordKey: admin-password + +## Define command to be executed at startup by grafana container +## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/) +## Default is "run.sh" as defined in grafana's Dockerfile +# command: +# - "sh" +# - "/run.sh" + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## Extra environment variables that will be pass onto deployment pods +## +## to provide grafana with access to CloudWatch on AWS EKS: +## 1. create an iam role of type "Web identity" with provider oidc.eks.* (note the provider for later) +## 2. edit the "Trust relationships" of the role, add a line inside the StringEquals clause using the +## same oidc eks provider as noted before (same as the existing line) +## also, replace NAMESPACE and prometheus-operator-grafana with the service account namespace and name +## +## "oidc.eks.us-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:NAMESPACE:prometheus-operator-grafana", +## +## 3. attach a policy to the role, you can use a built in policy called CloudWatchReadOnlyAccess +## 4. use the following env: (replace 123456789000 and iam-role-name-here with your aws account number and role name) +## +## env: +## AWS_ROLE_ARN: arn:aws:iam::123456789000:role/iam-role-name-here +## AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token +## AWS_REGION: us-east-1 +## +## 5. uncomment the EKS section in extraSecretMounts: below +## 6. uncomment the annotation section in the serviceAccount: above +## make sure to replace arn:aws:iam::123456789000:role/iam-role-name-here with your role arn + +env: {} + +## "valueFrom" environment variable references that will be added to deployment pods +## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#envvarsource-v1-core +## Renders in container spec as: +## env: +## ... +## - name: +## valueFrom: +## +envValueFrom: {} + +## The name of a secret in the same kubernetes namespace which contain values to be added to the environment +## This can be useful for auth tokens, etc. Value is templated. +envFromSecret: "" + +## Sensible environment variables that will be rendered as new secret object +## This can be useful for auth tokens, etc +envRenderSecret: {} + +## Additional grafana server secret mounts +# Defines additional mounts with secrets. Secrets must be manually created in the namespace. +extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # secretName: grafana-secret-files + # readOnly: true + # subPath: "" + # + # for AWS EKS (cloudwatch) use the following (see also instruction in env: above) + # - name: aws-iam-token + # mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount + # readOnly: true + # projected: + # defaultMode: 420 + # sources: + # - serviceAccountToken: + # audience: sts.amazonaws.com + # expirationSeconds: 86400 + # path: token + # + # for CSI e.g. Azure Key Vault use the following + # - name: secrets-store-inline + # mountPath: /run/secrets + # readOnly: true + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "akv-grafana-spc" + # nodePublishSecretRef: # Only required when using service principal mode + # name: grafana-akv-creds # Only required when using service principal mode + +## Additional grafana server volume mounts +# Defines additional volume mounts. +extraVolumeMounts: [] + # - name: extra-volume-0 + # mountPath: /mnt/volume0 + # readOnly: true + # existingClaim: volume-claim + # - name: extra-volume-1 + # mountPath: /mnt/volume1 + # readOnly: true + # hostPath: /usr/shared/ + +## Pass the plugins you want installed as a list. +## +plugins: [] + # - digrich-bubblechart-panel + # - grafana-clock-panel + +## Configure grafana datasources +## ref: http://docs.grafana.org/administration/provisioning/#datasources +## +#datasources: {} +# datasources.yaml: +# apiVersion: 1 +# datasources: +# - name: Prometheus +# type: prometheus +# url: http://prometheus-prometheus-server +# access: proxy +# isDefault: true +# - name: CloudWatch +# type: cloudwatch +# access: proxy +# uid: cloudwatch +# editable: false +# jsonData: +# authType: credentials +# defaultRegion: us-east-1 +datasources: + datasources.yaml: + apiVersion: 1 + datasources: + - name: Prometheus + type: prometheus + url: http://prometheus-server.monitoring.svc.cluster.local + access: proxy + isDefault: true + - name: Loki + type: loki + url: http://loki.monitoring.svc.cluster.local:3100 + accesS: proxy + isDefault: false + +## Configure notifiers +## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels +## +notifiers: {} +# notifiers.yaml: +# notifiers: +# - name: email-notifier +# type: email +# uid: email1 +# # either: +# org_id: 1 +# # or +# org_name: Main Org. +# is_default: true +# settings: +# addresses: an_email_address@example.com +# delete_notifiers: + +## Configure grafana dashboard providers +## ref: http://docs.grafana.org/administration/provisioning/#dashboards +## +## `path` must be /var/lib/grafana/dashboards/ +## +dashboardProviders: {} +# dashboardproviders.yaml: +# apiVersion: 1 +# providers: +# - name: 'default' +# orgId: 1 +# folder: '' +# type: file +# disableDeletion: false +# editable: true +# options: +# path: /var/lib/grafana/dashboards/default + +## Configure grafana dashboard to import +## NOTE: To use dashboards you must also enable/configure dashboardProviders +## ref: https://grafana.com/dashboards +## +## dashboards per provider, use provider name as key. +## +dashboards: {} + # default: + # some-dashboard: + # json: | + # $RAW_JSON + # custom-dashboard: + # file: dashboards/custom-dashboard.json + # prometheus-stats: + # gnetId: 2 + # revision: 2 + # datasource: Prometheus + # local-dashboard: + # url: https://example.com/repository/test.json + # token: '' + # local-dashboard-base64: + # url: https://example.com/repository/test-b64.json + # token: '' + # b64content: true + +## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value. +## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both. +## ConfigMap data example: +## +## data: +## example-dashboard.json: | +## RAW_JSON +## +dashboardsConfigMaps: {} +# default: "" + +## Grafana's primary configuration +## NOTE: values in map will be converted to ini format +## ref: http://docs.grafana.org/installation/configuration/ +## +grafana.ini: + paths: + data: /var/lib/grafana/ + logs: /var/log/grafana + plugins: /var/lib/grafana/plugins + provisioning: /etc/grafana/provisioning + analytics: + check_for_updates: true + log: + mode: console + grafana_net: + url: https://grafana.net +## grafana Authentication can be enabled with the following values on grafana.ini + # server: + # The full public facing url you use in browser, used for redirects and emails + # root_url: + # https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana + # auth.github: + # enabled: false + # allow_sign_up: false + # scopes: user:email,read:org + # auth_url: https://github.com/login/oauth/authorize + # token_url: https://github.com/login/oauth/access_token + # api_url: https://api.github.com/user + # team_ids: + # allowed_organizations: + # client_id: + # client_secret: +## LDAP Authentication can be enabled with the following values on grafana.ini +## NOTE: Grafana will fail to start if the value for ldap.toml is invalid + # auth.ldap: + # enabled: true + # allow_sign_up: true + # config_file: /etc/grafana/ldap.toml + +## Grafana's LDAP configuration +## Templated by the template in _helpers.tpl +## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled +## ref: http://docs.grafana.org/installation/configuration/#auth-ldap +## ref: http://docs.grafana.org/installation/ldap/#configuration +ldap: + enabled: false + # `existingSecret` is a reference to an existing secret containing the ldap configuration + # for Grafana in a key `ldap-toml`. + existingSecret: "" + # `config` is the content of `ldap.toml` that will be stored in the created secret + config: "" + # config: |- + # verbose_logging = true + + # [[servers]] + # host = "my-ldap-server" + # port = 636 + # use_ssl = true + # start_tls = false + # ssl_skip_verify = false + # bind_dn = "uid=%s,ou=users,dc=myorg,dc=com" + +## Grafana's SMTP configuration +## NOTE: To enable, grafana.ini must be configured with smtp.enabled +## ref: http://docs.grafana.org/installation/configuration/#smtp +smtp: + # `existingSecret` is a reference to an existing secret containing the smtp configuration + # for Grafana. + existingSecret: "" + userKey: "user" + passwordKey: "password" + +## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders +## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards +sidecar: + image: + repository: quay.io/kiwigrid/k8s-sidecar + tag: 1.10.7 + sha: "" + imagePullPolicy: IfNotPresent + resources: {} +# limits: +# cpu: 100m +# memory: 100Mi +# requests: +# cpu: 50m +# memory: 50Mi + # skipTlsVerify Set to true to skip tls verification for kube api calls + # skipTlsVerify: true + enableUniqueFilenames: false + dashboards: + enabled: false + SCProvider: true + # label that the configmaps with dashboards are marked with + label: grafana_dashboard + # value of label that the configmaps with dashboards are set to + labelValue: null + # folder in the pod that should hold the collected dashboards (unless `defaultFolderName` is set) + folder: /tmp/dashboards + # The default folder name, it will create a subfolder under the `folder` and put dashboards in there instead + defaultFolderName: null + # If specified, the sidecar will search for dashboard config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # search in configmap, secret or both + resource: both + # If specified, the sidecar will look for annotation with this name to create folder and put graph here. + # You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure. + folderAnnotation: null + # provider configuration that lets grafana manage the dashboards + provider: + # name of the provider, should be unique + name: sidecarProvider + # orgid as configured in grafana + orgid: 1 + # folder in which the dashboards should be imported in grafana + folder: '' + # type of the provider + type: file + # disableDelete to activate a import-only behaviour + disableDelete: false + # allow updating provisioned dashboards from the UI + allowUiUpdates: false + # allow Grafana to replicate dashboard structure from filesystem + foldersFromFilesStructure: false + datasources: + enabled: false + # label that the configmaps with datasources are marked with + label: grafana_datasource + # value of label that the configmaps with datasources are set to + labelValue: null + # If specified, the sidecar will search for datasource config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # search in configmap, secret or both + resource: both + notifiers: + enabled: false + # label that the configmaps with notifiers are marked with + label: grafana_notifier + # If specified, the sidecar will search for notifier config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # search in configmap, secret or both + resource: both + +## Override the deployment namespace +## +namespaceOverride: "" + +## Number of old ReplicaSets to retain +## +revisionHistoryLimit: 10 + +## Add a seperate remote image renderer deployment/service +imageRenderer: + # Enable the image-renderer deployment & service + enabled: false + replicas: 1 + image: + # image-renderer Image repository + repository: grafana/grafana-image-renderer + # image-renderer Image tag + tag: latest + # image-renderer Image sha (optional) + sha: "" + # image-renderer ImagePullPolicy + pullPolicy: Always + # extra environment variables + env: + HTTP_HOST: "0.0.0.0" + # RENDERING_ARGS: --disable-gpu,--window-size=1280x758 + # RENDERING_MODE: clustered + # image-renderer deployment serviceAccount + serviceAccountName: "" + # image-renderer deployment securityContext + securityContext: {} + # image-renderer deployment Host Aliases + hostAliases: [] + # image-renderer deployment priority class + priorityClassName: '' + service: + # Enable the image-renderer service + enabled: true + # image-renderer service port name + portName: 'http' + # image-renderer service port used by both service and deployment + port: 8081 + targetPort: 8081 + # In case a sub_path is used this needs to be added to the image renderer callback + grafanaSubPath: "" + # name of the image-renderer port on the pod + podPortName: http + # number of image-renderer replica sets to keep + revisionHistoryLimit: 10 + networkPolicy: + # Enable a NetworkPolicy to limit inbound traffic to only the created grafana pods + limitIngress: true + # Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods + limitEgress: false + resources: {} +# limits: +# cpu: 100m +# memory: 100Mi +# requests: +# cpu: 50m +# memory: 50Mi diff --git a/yaml/monitoring/grafana-volumes.yaml b/yaml/monitoring/grafana-volumes.yaml new file mode 100644 index 0000000..90f720e --- /dev/null +++ b/yaml/monitoring/grafana-volumes.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: monitoring-grafana-data +spec: + capacity: + storage: 8Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + rbd: + monitors: + - ${CEPH_MONITOR_1}:6789 + - ${CEPH_MONITOR_2}:6789 + - ${CEPH_MONITOR_3}:6789 + pool: kube + user: kube + secretRef: + name: ceph-secret-kube + namespace: kube-system + fsType: ext4 + readOnly: false + image: grafana-data +--- +apiVersion: "v1" +kind: "PersistentVolumeClaim" +metadata: + name: monitoring-grafana-data + namespace: monitoring +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 8Gi + volumeName: "monitoring-grafana-data" \ No newline at end of file diff --git a/yaml/monitoring/loki-v12-ext-svc.yaml b/yaml/monitoring/loki-v12-ext-svc.yaml new file mode 100644 index 0000000..8045684 --- /dev/null +++ b/yaml/monitoring/loki-v12-ext-svc.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: loki-v12 + namespace: monitoring +spec: + type: ExternalName + externalName: loki.loki.svc.cluster.local + ports: + - port: 3100 + name: http-metrics + targetPort: http-metrics \ No newline at end of file diff --git a/yaml/monitoring/loki-v12-values-long.yaml b/yaml/monitoring/loki-v12-values-long.yaml new file mode 100644 index 0000000..d520e9a --- /dev/null +++ b/yaml/monitoring/loki-v12-values-long.yaml @@ -0,0 +1,1468 @@ +global: + image: + # -- Overrides the Docker registry globally for all images + registry: null + # -- Overrides the priorityClassName for all pods + priorityClassName: null + # -- configures cluster domain ("cluster.local" by default) + clusterDomain: "cluster.local" + # -- configures DNS service name + dnsService: "kube-dns" + # -- configures DNS service namespace + dnsNamespace: "kube-system" +# -- Overrides the chart's name +nameOverride: null +# -- Overrides the chart's computed fullname +fullnameOverride: null +# -- Overrides the chart's cluster label +clusterLabelOverride: null +# -- Image pull secrets for Docker images +imagePullSecrets: [] +kubectlImage: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: bitnami/kubectl + # -- Overrides the image tag whose default is the chart's appVersion + tag: null + # -- Overrides the image tag with an image digest + digest: null + # -- Docker image pull policy + pullPolicy: IfNotPresent +loki: + # Configures the readiness probe for all of the Loki pods + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 30 + timeoutSeconds: 1 + image: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: grafana/loki + # -- Overrides the image tag whose default is the chart's appVersion + # TODO: needed for 3rd target backend functionality + # revert to null or latest once this behavior is relased + tag: null + # -- Overrides the image tag with an image digest + digest: null + # -- Docker image pull policy + pullPolicy: IfNotPresent + # -- Common annotations for all deployments/StatefulSets + annotations: {} + # -- Common annotations for all pods + podAnnotations: {} + # -- Common labels for all pods + podLabels: {} + # -- The number of old ReplicaSets to retain to allow rollback + revisionHistoryLimit: 10 + # -- The SecurityContext for Loki pods + podSecurityContext: + fsGroup: 10001 + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + # -- The SecurityContext for Loki containers + containerSecurityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + # -- Should enableServiceLinks be enabled. Default to enable + enableServiceLinks: true + # -- Specify an existing secret containing loki configuration. If non-empty, overrides `loki.config` + existingSecretForConfig: "" + # -- Defines what kind of object stores the configuration, a ConfigMap or a Secret. + # In order to move sensitive information (such as credentials) from the ConfigMap/Secret to a more secure location (e.g. vault), it is possible to use [environment variables in the configuration](https://grafana.com/docs/loki/latest/configuration/#use-environment-variables-in-the-configuration). + # Such environment variables can be then stored in a separate Secret and injected via the global.extraEnvFrom value. For details about environment injection from a Secret please see [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/#use-case-as-container-environment-variables). + configStorageType: ConfigMap + # -- Name of the Secret or ConfigMap that contains the configuration (used for naming even if config is internal). + externalConfigSecretName: '{{ include "loki.name" . }}' + # -- Config file contents for Loki + # @default -- See values.yaml + config: | + {{- if .Values.enterprise.enabled}} + {{- tpl .Values.enterprise.config . }} + {{- else }} + auth_enabled: {{ .Values.loki.auth_enabled }} + {{- end }} + + {{- with .Values.loki.server }} + server: + {{- toYaml . | nindent 2}} + {{- end}} + + memberlist: + {{- if .Values.loki.extraMemberlistConfig}} + {{- toYaml .Values.loki.extraMemberlistConfig | nindent 2}} + {{- end }} + join_members: + - {{ include "loki.memberlist" . }} + {{- with .Values.migrate.fromDistributed }} + {{- if .enabled }} + - {{ .memberlistService }} + {{- end }} + {{- end }} + + {{- with .Values.loki.ingester }} + ingester: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- if .Values.loki.commonConfig}} + common: + {{- toYaml .Values.loki.commonConfig | nindent 2}} + storage: + {{- include "loki.commonStorageConfig" . | nindent 4}} + {{- end}} + + {{- with .Values.loki.limits_config }} + limits_config: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + runtime_config: + file: /etc/loki/runtime-config/runtime-config.yaml + + {{- with .Values.loki.memcached.chunk_cache }} + {{- if and .enabled (or .host .addresses) }} + chunk_store_config: + chunk_cache_config: + memcached: + batch_size: {{ .batch_size }} + parallelism: {{ .parallelism }} + memcached_client: + {{- if .host }} + host: {{ .host }} + {{- end }} + {{- if .addresses }} + addresses: {{ .addresses }} + {{- end }} + service: {{ .service }} + {{- end }} + {{- end }} + + {{- if .Values.loki.schemaConfig}} + schema_config: + {{- toYaml .Values.loki.schemaConfig | nindent 2}} + {{- else }} + schema_config: + configs: + - from: 2022-01-11 + store: boltdb-shipper + object_store: {{ .Values.loki.storage.type }} + schema: v12 + index: + prefix: loki_index_ + period: 24h + {{- end }} + + {{ include "loki.rulerConfig" . }} + + table_manager: + retention_deletes_enabled: {{ .Values.tableManager.retention_deletes_enabled }} + retention_period: {{ .Values.tableManager.retention_period }} + + {{- with .Values.loki.memcached.results_cache }} + query_range: + align_queries_with_step: true + {{- if and .enabled (or .host .addresses) }} + cache_results: {{ .enabled }} + results_cache: + cache: + default_validity: {{ .default_validity }} + memcached_client: + {{- if .host }} + host: {{ .host }} + {{- end }} + {{- if .addresses }} + addresses: {{ .addresses }} + {{- end }} + service: {{ .service }} + timeout: {{ .timeout }} + {{- end }} + {{- end }} + + {{- with .Values.loki.storage_config }} + storage_config: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- with .Values.loki.query_scheduler }} + query_scheduler: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- with .Values.loki.compactor }} + compactor: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- with .Values.loki.analytics }} + analytics: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- with .Values.loki.querier }} + querier: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- with .Values.loki.index_gateway }} + index_gateway: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- with .Values.loki.frontend }} + frontend: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- with .Values.loki.frontend_worker }} + frontend_worker: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + # Should authentication be enabled + auth_enabled: false + # Extra memberlist configuration + extraMemberlistConfig: {} + # -- Tenants list to be created on nginx htpasswd file, with name and password keys + tenants: [] + # -- Check https://grafana.com/docs/loki/latest/configuration/#server for more info on the server configuration. + server: + http_listen_port: 3100 + grpc_listen_port: 9095 + # -- Limits config + limits_config: + enforce_metric_name: false + reject_old_samples: true + reject_old_samples_max_age: 168h + retention_period: 4320h + retention_stream: + - selector: '{namespace="ingress-nginx"}' + priority: 1 + period: 744h + - selector: '{app="abios-sync"}' + priority: 1 + period: 744h + - selector: '{app="ingress-nginx"}' + priority: 1 + period: 744h + - selector: '{app="matches"}' + priority: 1 + period: 744h + - selector: '{app="socket-server"}' + priority: 1 + period: 744h + + # -- Provides a reloadable runtime configuration file for some specific configuration + runtimeConfig: {} + # -- Check https://grafana.com/docs/loki/latest/configuration/#common_config for more info on how to provide a common configuration + commonConfig: + path_prefix: /var/loki + replication_factor: 1 + compactor_address: '{{ include "loki.compactorAddress" . }}' + # -- Storage config. Providing this will automatically populate all necessary storage configs in the templated config. + storage: + bucketNames: + chunks: chunks + ruler: ruler + admin: admin + type: filesystem + s3: + s3: null + endpoint: null + region: null + secretAccessKey: null + accessKeyId: null + signatureVersion: null + s3ForcePathStyle: false + insecure: false + http_config: {} + gcs: + chunkBufferSize: 0 + requestTimeout: "0s" + enableHttp2: true + azure: + accountName: null + accountKey: null + useManagedIdentity: false + useFederatedToken: false + userAssignedId: null + requestTimeout: null + filesystem: + chunks_directory: /var/loki/chunks + rules_directory: /var/loki/rules + boltdb_shipper: + active_index_directory: /var/loki/boltdb-shipper-active + cache_location: /var/loki/boltdb-shipper-cache + cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space + shared_store: filesystem + # -- Configure memcached as an external cache for chunk and results cache. Disabled by default + # must enable and specify a host for each cache you would like to use. + memcached: + chunk_cache: + enabled: false + host: "" + service: "memcached-client" + batch_size: 256 + parallelism: 10 + results_cache: + enabled: false + host: "" + service: "memcached-client" + timeout: "500ms" + default_validity: "12h" + # -- Check https://grafana.com/docs/loki/latest/configuration/#schema_config for more info on how to configure schemas + schemaConfig: + configs: + - from: 2020-10-24 + store: boltdb-shipper + object_store: filesystem + schema: v11 + index: + prefix: index_ + period: 24h + - from: 2023-06-13 + store: boltdb-shipper + object_store: filesystem + schema: v12 + index: + prefix: index_ + period: 24h + # -- Check https://grafana.com/docs/loki/latest/configuration/#ruler for more info on configuring ruler + rulerConfig: {} + # -- Structured loki configuration, takes precedence over `loki.config`, `loki.schemaConfig`, `loki.storageConfig` + structuredConfig: {} + # -- Additional query scheduler config + query_scheduler: {} + # -- Additional storage config + storage_config: + hedging: + at: "250ms" + max_per_second: 20 + up_to: 3 + # -- Optional compactor configuration + compactor: + working_directory: /var/loki/boltdb-shipper-compactor + shared_store: filesystem + retention_enabled: true + # -- Optional analytics configuration + analytics: {} + # -- Optional querier configuration + querier: {} + # -- Optional ingester configuration + ingester: + chunk_idle_period: 3m + chunk_block_size: 262144 + chunk_retain_period: 1m + max_transfer_retries: 0 + wal: + dir: /var/loki/wal + lifecycler: + ring: + kvstore: + store: inmemory + replication_factor: 1 + + # -- Optional index gateway configuration + index_gateway: + mode: ring + frontend: + scheduler_address: '{{ include "loki.querySchedulerAddress" . }}' + frontend_worker: + scheduler_address: '{{ include "loki.querySchedulerAddress" . }}' +enterprise: + # Enable enterprise features, license must be provided + enabled: false + # Default verion of GEL to deploy + version: v1.7.2 + # -- Optional name of the GEL cluster, otherwise will use .Release.Name + # The cluster name must match what is in your GEL license + cluster_name: null + # -- Grafana Enterprise Logs license + # In order to use Grafana Enterprise Logs features, you will need to provide + # the contents of your Grafana Enterprise Logs license, either by providing the + # contents of the license.jwt, or the name Kubernetes Secret that contains your + # license.jwt. + # To set the license contents, use the flag `--set-file 'enterprise.license.contents=./license.jwt'` + license: + contents: "NOTAVALIDLICENSE" + # -- Set to true when providing an external license + useExternalLicense: false + # -- Name of external license secret to use + externalLicenseName: null + # -- Name of the external config secret to use + externalConfigName: "" + # -- If enabled, the correct admin_client storage will be configured. If disabled while running enterprise, + # make sure auth is set to `type: trust`, or that `auth_enabled` is set to `false`. + adminApi: + enabled: true + # enterprise specific sections of the config.yaml file + config: | + {{- if .Values.enterprise.adminApi.enabled }} + {{- if or .Values.minio.enabled (eq .Values.loki.storage.type "s3") (eq .Values.loki.storage.type "gcs") (eq .Values.loki.storage.type "azure") }} + admin_client: + storage: + s3: + bucket_name: {{ .Values.loki.storage.bucketNames.admin }} + {{- end }} + {{- end }} + auth: + type: {{ .Values.enterprise.adminApi.enabled | ternary "enterprise" "trust" }} + auth_enabled: {{ .Values.loki.auth_enabled }} + cluster_name: {{ include "loki.clusterName" . }} + license: + path: /etc/loki/license/license.jwt + image: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: grafana/enterprise-logs + # -- Docker image tag + tag: null + # -- Overrides the image tag with an image digest + digest: null + # -- Docker image pull policy + pullPolicy: IfNotPresent + adminToken: + # -- Alternative name for admin token secret, needed by tokengen and provisioner jobs + secret: null + # -- Additional namespace to also create the token in. Useful if your Grafana instance + # is in a different namespace + additionalNamespaces: [] + # -- Alternative name of the secret to store token for the canary + canarySecret: null + # -- Configuration for `tokengen` target + tokengen: + # -- Whether the job should be part of the deployment + enabled: true + # -- Comma-separated list of Loki modules to load for tokengen + targetModule: "tokengen" + # -- Additional CLI arguments for the `tokengen` target + extraArgs: [] + # -- Additional Kubernetes environment + env: [] + # -- Additional labels for the `tokengen` Job + labels: {} + # -- Additional annotations for the `tokengen` Job + annotations: {} + # -- Tolerations for tokengen Job + tolerations: [] + # -- Additional volumes for Pods + extraVolumes: [] + # -- Additional volume mounts for Pods + extraVolumeMounts: [] + # -- Run containers as user `enterprise-logs(uid=10001)` + securityContext: + runAsNonRoot: true + runAsGroup: 10001 + runAsUser: 10001 + fsGroup: 10001 + # -- Environment variables from secrets or configmaps to add to the tokengen pods + extraEnvFrom: [] + # -- The name of the PriorityClass for tokengen Pods + priorityClassName: "" + # -- Configuration for `provisioner` target + provisioner: + # -- Whether the job should be part of the deployment + enabled: true + # -- Name of the secret to store provisioned tokens in + provisionedSecretPrefix: null + # -- Additional tenants to be created. Each tenant will get a read and write policy + # and associated token. Tenant must have a name and a namespace for the secret containting + # the token to be created in. For example + # additionalTenants: + # - name: loki + # secretNamespace: grafana + additionalTenants: [] + # -- Additional Kubernetes environment + env: [] + # -- Additional labels for the `provisioner` Job + labels: {} + # -- Additional annotations for the `provisioner` Job + annotations: {} + # -- The name of the PriorityClass for provisioner Job + priorityClassName: null + # -- Run containers as user `enterprise-logs(uid=10001)` + securityContext: + runAsNonRoot: true + runAsGroup: 10001 + runAsUser: 10001 + fsGroup: 10001 + # -- Provisioner image to Utilize + image: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: grafana/enterprise-logs-provisioner + # -- Overrides the image tag whose default is the chart's appVersion + tag: null + # -- Overrides the image tag with an image digest + digest: null + # -- Docker image pull policy + pullPolicy: IfNotPresent + # -- Volume mounts to add to the provisioner pods + extraVolumeMounts: [] +# -- Options that may be necessary when performing a migration from another helm chart +migrate: + # -- When migrating from a distributed chart like loki-distributed or enterprise-logs + fromDistributed: + # -- Set to true if migrating from a distributed helm chart + enabled: false + # -- If migrating from a distributed service, provide the distributed deployment's + # memberlist service DNS so the new deployment can join its ring. + memberlistService: "" +serviceAccount: + # -- Specifies whether a ServiceAccount should be created + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: null + # -- Image pull secrets for the service account + imagePullSecrets: [] + # -- Annotations for the service account + annotations: {} + # -- Labels for the service account + labels: {} + # -- Set this toggle to false to opt out of automounting API credentials for the service account + automountServiceAccountToken: true +# RBAC configuration +rbac: + # -- If pspEnabled true, a PodSecurityPolicy is created for K8s that use psp. + pspEnabled: false + # -- For OpenShift set pspEnabled to 'false' and sccEnabled to 'true' to use the SecurityContextConstraints. + sccEnabled: false +# -- Section for configuring optional Helm test +test: + enabled: false + # -- Address of the prometheus server to query for the test + prometheusAddress: "http://prometheus:9090" + # -- Number of times to retry the test before failing + timeout: 1m + # -- Additional labels for the test pods + labels: {} + # -- Additional annotations for test pods + annotations: {} + # -- Image to use for loki canary + image: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: grafana/loki-helm-test + # -- Overrides the image tag whose default is the chart's appVersion + tag: null + # -- Overrides the image tag with an image digest + digest: null + # -- Docker image pull policy + pullPolicy: IfNotPresent +# Monitoring section determines which monitoring features to enable +monitoring: + # Dashboards for monitoring Loki + dashboards: + # -- If enabled, create configmap with dashboards for monitoring Loki + enabled: false + # -- Alternative namespace to create dashboards ConfigMap in + namespace: null + # -- Additional annotations for the dashboards ConfigMap + annotations: {} + # -- Labels for the dashboards ConfigMap + labels: + grafana_dashboard: "1" + # Recording rules for monitoring Loki, required for some dashboards + rules: + # -- If enabled, create PrometheusRule resource with Loki recording rules + enabled: false + # -- Include alerting rules + alerting: true + # -- Alternative namespace to create PrometheusRule resources in + namespace: null + # -- Additional annotations for the rules PrometheusRule resource + annotations: {} + # -- Additional labels for the rules PrometheusRule resource + labels: {} + # -- Additional groups to add to the rules file + additionalGroups: [] + # - name: additional-loki-rules + # rules: + # - record: job:loki_request_duration_seconds_bucket:sum_rate + # expr: sum(rate(loki_request_duration_seconds_bucket[1m])) by (le, job) + # - record: job_route:loki_request_duration_seconds_bucket:sum_rate + # expr: sum(rate(loki_request_duration_seconds_bucket[1m])) by (le, job, route) + # - record: node_namespace_pod_container:container_cpu_usage_seconds_total:sum_rate + # expr: sum(rate(container_cpu_usage_seconds_total[1m])) by (node, namespace, pod, container) + # ServiceMonitor configuration + serviceMonitor: + # -- If enabled, ServiceMonitor resources for Prometheus Operator are created + enabled: false + # -- Namespace selector for ServiceMonitor resources + namespaceSelector: {} + # -- ServiceMonitor annotations + annotations: {} + # -- Additional ServiceMonitor labels + labels: {} + # -- ServiceMonitor scrape interval + # Default is 15s because included recording rules use a 1m rate, and scrape interval needs to be at + # least 1/4 rate interval. + interval: 15s + # -- ServiceMonitor scrape timeout in Go duration format (e.g. 15s) + scrapeTimeout: null + # -- ServiceMonitor relabel configs to apply to samples before scraping + # https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + relabelings: [] + # -- ServiceMonitor will use http by default, but you can pick https as well + scheme: http + # -- ServiceMonitor will use these tlsConfig settings to make the health check requests + tlsConfig: null + # -- If defined, will create a MetricsInstance for the Grafana Agent Operator. + metricsInstance: + # -- If enabled, MetricsInstance resources for Grafana Agent Operator are created + enabled: true + # -- MetricsInstance annotations + annotations: {} + # -- Additional MetricsInstance labels + labels: {} + # -- If defined a MetricsInstance will be created to remote write metrics. + remoteWrite: null + # Self monitoring determines whether Loki should scrape its own logs. + # This feature currently relies on the Grafana Agent Operator being installed, + # which is installed by default using the grafana-agent-operator sub-chart. + # It will create custom resources for GrafanaAgent, LogsInstance, and PodLogs to configure + # scrape configs to scrape its own logs with the labels expected by the included dashboards. + selfMonitoring: + enabled: false + # -- Tenant to use for self monitoring + tenant: + # -- Name of the tenant + name: "self-monitoring" + # -- Namespace to create additional tenant token secret in. Useful if your Grafana instance + # is in a separate namespace. Token will still be created in the canary namespace. + secretNamespace: "{{ .Release.Namespace }}" + # Grafana Agent configuration + grafanaAgent: + # -- Controls whether to install the Grafana Agent Operator and its CRDs. + # Note that helm will not install CRDs if this flag is enabled during an upgrade. + # In that case install the CRDs manually from https://github.com/grafana/agent/tree/main/production/operator/crds + installOperator: true + # -- Grafana Agent annotations + annotations: {} + # -- Additional Grafana Agent labels + labels: {} + # -- Enable the config read api on port 8080 of the agent + enableConfigReadAPI: false + # PodLogs configuration + podLogs: + # -- PodLogs annotations + annotations: {} + # -- Additional PodLogs labels + labels: {} + # -- PodLogs relabel configs to apply to samples before scraping + # https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + relabelings: [] + # LogsInstance configuration + logsInstance: + # -- LogsInstance annotations + annotations: {} + # -- Additional LogsInstance labels + labels: {} + # -- Additional clients for remote write + clients: null + # The Loki canary pushes logs to and queries from this loki installation to test + # that it's working correctly + lokiCanary: + enabled: false + # -- Additional annotations for the `loki-canary` Daemonset + annotations: {} + # -- Additional CLI arguments for the `loki-canary' command + extraArgs: [] + # -- Environment variables to add to the canary pods + extraEnv: [] + # -- Environment variables from secrets or configmaps to add to the canary pods + extraEnvFrom: [] + # -- Resource requests and limits for the canary + resources: {} + # -- Node selector for canary pods + nodeSelector: {} + # -- Tolerations for canary pods + tolerations: [] + # -- Image to use for loki canary + image: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: grafana/loki-canary + # -- Overrides the image tag whose default is the chart's appVersion + tag: null + # -- Overrides the image tag with an image digest + digest: null + # -- Docker image pull policy + pullPolicy: IfNotPresent +# Configuration for the write pod(s) +write: + # -- Number of replicas for the write + replicas: 0 + autoscaling: + # -- Enable autoscaling for the write. + enabled: false + # -- Minimum autoscaling replicas for the write. + minReplicas: 1 + # -- Maximum autoscaling replicas for the write. + maxReplicas: 3 + # -- Target CPU utilisation percentage for the write. + targetCPUUtilizationPercentage: 60 + # -- Target memory utilization percentage for the write. + targetMemoryUtilizationPercentage: + # -- Behavior policies while scaling. + behavior: + # -- see https://github.com/grafana/loki/blob/main/docs/sources/operations/storage/wal.md#how-to-scale-updown for scaledown details + scaleUp: + policies: + - type: Pods + value: 1 + periodSeconds: 900 + scaleDown: + policies: + - type: Pods + value: 1 + periodSeconds: 1800 + stabilizationWindowSeconds: 3600 + image: + # -- The Docker registry for the write image. Overrides `loki.image.registry` + registry: null + # -- Docker image repository for the write image. Overrides `loki.image.repository` + repository: null + # -- Docker image tag for the write image. Overrides `loki.image.tag` + tag: null + # -- The name of the PriorityClass for write pods + priorityClassName: null + # -- Annotations for write StatefulSet + annotations: {} + # -- Annotations for write pods + podAnnotations: {} + # -- Additional labels for each `write` pod + podLabels: {} + # -- Additional selector labels for each `write` pod + selectorLabels: {} + # -- Labels for ingester service + serviceLabels: {} + # -- Comma-separated list of Loki modules to load for the write + targetModule: "write" + # -- Additional CLI args for the write + extraArgs: [] + # -- Environment variables to add to the write pods + extraEnv: [] + # -- Environment variables from secrets or configmaps to add to the write pods + extraEnvFrom: [] + # -- Lifecycle for the write container + lifecycle: {} + # -- The default /flush_shutdown preStop hook is recommended as part of the ingester + # scaledown process so it's added to the template by default when autoscaling is enabled, + # but it's disabled to optimize rolling restarts in instances that will never be scaled + # down or when using chunks storage with WAL disabled. + # https://github.com/grafana/loki/blob/main/docs/sources/operations/storage/wal.md#how-to-scale-updown + # -- Init containers to add to the write pods + initContainers: [] + # -- Volume mounts to add to the write pods + extraVolumeMounts: [] + # -- Volumes to add to the write pods + extraVolumes: [] + # -- volumeClaimTemplates to add to StatefulSet + extraVolumeClaimTemplates: [] + # -- Resource requests and limits for the write + resources: {} + # -- Grace period to allow the write to shutdown before it is killed. Especially for the ingester, + # this must be increased. It must be long enough so writes can be gracefully shutdown flushing/transferring + # all data and to successfully leave the member ring on shutdown. + terminationGracePeriodSeconds: 300 + # -- Affinity for write pods. Passed through `tpl` and, thus, to be configured as string + # @default -- Hard node and soft zone anti-affinity + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- include "loki.writeSelectorLabels" . | nindent 10 }} + topologyKey: kubernetes.io/hostname + # -- Node selector for write pods + nodeSelector: {} + # -- Tolerations for write pods + tolerations: [] + # -- The default is to deploy all pods in parallel. + podManagementPolicy: "Parallel" + persistence: + # -- Enable StatefulSetAutoDeletePVC feature + enableStatefulSetAutoDeletePVC: false + # -- Size of persistent disk + size: 10Gi + # -- Storage class to be used. + # If defined, storageClassName: . + # If set to "-", storageClassName: "", which disables dynamic provisioning. + # If empty or set to null, no storageClassName spec is + # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS, and OpenStack). + storageClass: null + # -- Selector for persistent disk + selector: null +# Configuration for the table-manager +tableManager: + # -- Specifies whether the table-manager should be enabled + enabled: false + image: + # -- The Docker registry for the table-manager image. Overrides `loki.image.registry` + registry: null + # -- Docker image repository for the table-manager image. Overrides `loki.image.repository` + repository: null + # -- Docker image tag for the table-manager image. Overrides `loki.image.tag` + tag: null + # -- Command to execute instead of defined in Docker image + command: null + # -- The name of the PriorityClass for table-manager pods + priorityClassName: null + # -- Labels for table-manager pods + podLabels: {} + # -- Annotations for table-manager deployment + annotations: {} + # -- Annotations for table-manager pods + podAnnotations: {} + # -- Labels for table-manager service + serviceLabels: {} + # -- Additional CLI args for the table-manager + extraArgs: [] + # -- Environment variables to add to the table-manager pods + extraEnv: [] + # -- Environment variables from secrets or configmaps to add to the table-manager pods + extraEnvFrom: [] + # -- Volume mounts to add to the table-manager pods + extraVolumeMounts: [] + # -- Volumes to add to the table-manager pods + extraVolumes: [] + # -- Resource requests and limits for the table-manager + resources: {} + # -- Containers to add to the table-manager pods + extraContainers: [] + # -- Grace period to allow the table-manager to shutdown before it is killed + terminationGracePeriodSeconds: 30 + # -- Affinity for table-manager pods. Passed through `tpl` and, thus, to be configured as string + # @default -- Hard node and soft zone anti-affinity + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- include "loki.tableManagerSelectorLabels" . | nindent 10 }} + topologyKey: kubernetes.io/hostname + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + {{- include "loki.tableManagerSelectorLabels" . | nindent 12 }} + topologyKey: failure-domain.beta.kubernetes.io/zone + # -- Node selector for table-manager pods + nodeSelector: {} + # -- Tolerations for table-manager pods + tolerations: [] + # -- Enable deletes by retention + retention_deletes_enabled: true + # -- Set retention period + retention_period: 4320h + +# Configuration for the read pod(s) +read: + # -- Number of replicas for the read + replicas: 0 + autoscaling: + # -- Enable autoscaling for the read, this is only used if `queryIndex.enabled: true` + enabled: false + # -- Minimum autoscaling replicas for the read + minReplicas: 1 + # -- Maximum autoscaling replicas for the read + maxReplicas: 3 + # -- Target CPU utilisation percentage for the read + targetCPUUtilizationPercentage: 60 + # -- Target memory utilisation percentage for the read + targetMemoryUtilizationPercentage: + # -- Behavior policies while scaling. + behavior: {} + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 60 + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + image: + # -- The Docker registry for the read image. Overrides `loki.image.registry` + registry: null + # -- Docker image repository for the read image. Overrides `loki.image.repository` + repository: null + # -- Docker image tag for the read image. Overrides `loki.image.tag` + tag: null + # -- The name of the PriorityClass for read pods + priorityClassName: null + # -- Annotations for read deployment + annotations: {} + # -- Annotations for read pods + podAnnotations: {} + # -- Additional labels for each `read` pod + podLabels: {} + # -- Additional selector labels for each `read` pod + selectorLabels: {} + # -- Labels for read service + serviceLabels: {} + # -- Comma-separated list of Loki modules to load for the read + targetModule: "read" + # -- Whether or not to use the 2 target type simple scalable mode (read, write) or the + # 3 target type (read, write, backend). Legacy refers to the 2 target type, so true will + # run two targets, false will run 3 targets. + legacyReadTarget: false + # -- Additional CLI args for the read + extraArgs: [] + # -- Environment variables to add to the read pods + extraEnv: [] + # -- Environment variables from secrets or configmaps to add to the read pods + extraEnvFrom: [] + # -- Lifecycle for the read container + lifecycle: {} + # -- Volume mounts to add to the read pods + extraVolumeMounts: [] + # -- Volumes to add to the read pods + extraVolumes: [] + # -- Resource requests and limits for the read + resources: {} + # -- Grace period to allow the read to shutdown before it is killed + terminationGracePeriodSeconds: 30 + # -- Affinity for read pods. Passed through `tpl` and, thus, to be configured as string + # @default -- Hard node and soft zone anti-affinity + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- include "loki.readSelectorLabels" . | nindent 10 }} + topologyKey: kubernetes.io/hostname + # -- Node selector for read pods + nodeSelector: {} + # -- Tolerations for read pods + tolerations: [] + # -- The default is to deploy all pods in parallel. + podManagementPolicy: "Parallel" + persistence: + # -- Enable StatefulSetAutoDeletePVC feature + enableStatefulSetAutoDeletePVC: true + # -- Size of persistent disk + size: 10Gi + # -- Storage class to be used. + # If defined, storageClassName: . + # If set to "-", storageClassName: "", which disables dynamic provisioning. + # If empty or set to null, no storageClassName spec is + # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS, and OpenStack). + storageClass: null + # -- Selector for persistent disk + selector: null +# Configuration for the backend pod(s) +backend: + # -- Number of replicas for the backend + replicas: 0 + autoscaling: + # -- Enable autoscaling for the backend. + enabled: false + # -- Minimum autoscaling replicas for the backend. + minReplicas: 1 + # -- Maximum autoscaling replicas for the backend. + maxReplicas: 3 + # -- Target CPU utilization percentage for the backend. + targetCPUUtilizationPercentage: 60 + # -- Target memory utilization percentage for the backend. + targetMemoryUtilizationPercentage: + # -- Behavior policies while scaling. + behavior: {} + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 60 + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + image: + # -- The Docker registry for the backend image. Overrides `loki.image.registry` + registry: null + # -- Docker image repository for the backend image. Overrides `loki.image.repository` + repository: null + # -- Docker image tag for the backend image. Overrides `loki.image.tag` + tag: null + # -- The name of the PriorityClass for backend pods + priorityClassName: null + # -- Annotations for backend StatefulSet + annotations: {} + # -- Annotations for backend pods + podAnnotations: {} + # -- Additional labels for each `backend` pod + podLabels: {} + # -- Additional selector labels for each `backend` pod + selectorLabels: {} + # -- Labels for ingester service + serviceLabels: {} + # -- Comma-separated list of Loki modules to load for the read + targetModule: "backend" + # -- Additional CLI args for the backend + extraArgs: [] + # -- Environment variables to add to the backend pods + extraEnv: [] + # -- Environment variables from secrets or configmaps to add to the backend pods + extraEnvFrom: [] + # -- Init containers to add to the backend pods + initContainers: [] + # -- Volume mounts to add to the backend pods + extraVolumeMounts: [] + # -- Volumes to add to the backend pods + extraVolumes: [] + # -- Resource requests and limits for the backend + resources: {} + # -- Grace period to allow the backend to shutdown before it is killed. Especially for the ingester, + # this must be increased. It must be long enough so backends can be gracefully shutdown flushing/transferring + # all data and to successfully leave the member ring on shutdown. + terminationGracePeriodSeconds: 300 + # -- Affinity for backend pods. Passed through `tpl` and, thus, to be configured as string + # @default -- Hard node and soft zone anti-affinity + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- include "loki.backendSelectorLabels" . | nindent 10 }} + topologyKey: kubernetes.io/hostname + # -- Node selector for backend pods + nodeSelector: {} + # -- Tolerations for backend pods + tolerations: [] + # -- The default is to deploy all pods in parallel. + podManagementPolicy: "Parallel" + persistence: + # -- Enable StatefulSetAutoDeletePVC feature + enableStatefulSetAutoDeletePVC: true + # -- Size of persistent disk + size: 10Gi + # -- Storage class to be used. + # If defined, storageClassName: . + # If set to "-", storageClassName: "", which disables dynamic provisioning. + # If empty or set to null, no storageClassName spec is + # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS, and OpenStack). + storageClass: null + # -- Selector for persistent disk + selector: null +# Configuration for the single binary node(s) +singleBinary: + # -- Number of replicas for the single binary + replicas: 1 + autoscaling: + # -- Enable autoscaling + enabled: false + # -- Minimum autoscaling replicas for the single binary + minReplicas: 1 + # -- Maximum autoscaling replicas for the single binary + maxReplicas: 3 + # -- Target CPU utilisation percentage for the single binary + targetCPUUtilizationPercentage: 60 + # -- Target memory utilisation percentage for the single binary + targetMemoryUtilizationPercentage: + image: + # -- The Docker registry for the single binary image. Overrides `loki.image.registry` + registry: null + # -- Docker image repository for the single binary image. Overrides `loki.image.repository` + repository: null + # -- Docker image tag for the single binary image. Overrides `loki.image.tag` + tag: null + # -- The name of the PriorityClass for single binary pods + priorityClassName: null + # -- Annotations for single binary StatefulSet + annotations: {} + # -- Annotations for single binary pods + podAnnotations: {} + # -- Additional labels for each `single binary` pod + podLabels: {} + # -- Additional selector labels for each `single binary` pod + selectorLabels: {} + # -- Comma-separated list of Loki modules to load for the single binary + targetModule: "all" + # -- Labels for single binary service + extraArgs: [] + # -- Environment variables to add to the single binary pods + extraEnv: [] + # -- Environment variables from secrets or configmaps to add to the single binary pods + extraEnvFrom: [] + # -- Extra containers to add to the single binary loki pod + extraContainers: [] + # -- Init containers to add to the single binary pods + initContainers: [] + # -- Volume mounts to add to the single binary pods + extraVolumeMounts: [] + # -- Volumes to add to the single binary pods + extraVolumes: [] + # -- Resource requests and limits for the single binary + resources: {} + # -- Grace period to allow the single binary to shutdown before it is killed + terminationGracePeriodSeconds: 30 + # -- Affinity for single binary pods. Passed through `tpl` and, thus, to be configured as string + # @default -- Hard node and soft zone anti-affinity + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- include "loki.singleBinarySelectorLabels" . | nindent 10 }} + topologyKey: kubernetes.io/hostname + # -- Node selector for single binary pods + nodeSelector: {} + # -- Tolerations for single binary pods + tolerations: [] + persistence: + # -- Enable StatefulSetAutoDeletePVC feature + enableStatefulSetAutoDeletePVC: true + # -- Enable persistent disk + enabled: true + # -- Size of persistent disk + size: 32Gi + # -- Storage class to be used. + # If defined, storageClassName: . + # If set to "-", storageClassName: "", which disables dynamic provisioning. + # If empty or set to null, no storageClassName spec is + # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS, and OpenStack). + storageClass: null + # -- Selector for persistent disk + selector: null +# Use either this ingress or the gateway, but not both at once. +# If you enable this, make sure to disable the gateway. +# You'll need to supply authn configuration for your ingress controller. +ingress: + enabled: false + ingressClassName: "" + annotations: {} + # nginx.ingress.kubernetes.io/auth-type: basic + # nginx.ingress.kubernetes.io/auth-secret: loki-distributed-basic-auth + # nginx.ingress.kubernetes.io/auth-secret-type: auth-map + # nginx.ingress.kubernetes.io/configuration-snippet: | + # proxy_set_header X-Scope-OrgID $remote_user; + paths: + write: + - /api/prom/push + - /loki/api/v1/push + read: + - /api/prom/tail + - /loki/api/v1/tail + - /loki/api + - /api/prom/rules + - /loki/api/v1/rules + - /prometheus/api/v1/rules + - /prometheus/api/v1/alerts + singleBinary: + - /api/prom/push + - /loki/api/v1/push + - /api/prom/tail + - /loki/api/v1/tail + - /loki/api + - /api/prom/rules + - /loki/api/v1/rules + - /prometheus/api/v1/rules + - /prometheus/api/v1/alerts + hosts: + - loki.example.com + tls: [] +# - hosts: +# - loki.example.com +# secretName: loki-distributed-tls + +# Configuration for the memberlist service +memberlist: + service: + publishNotReadyAddresses: true +# Configuration for the gateway +gateway: + # -- Specifies whether the gateway should be enabled + enabled: false + # -- Number of replicas for the gateway + replicas: 1 + # -- Enable logging of 2xx and 3xx HTTP requests + verboseLogging: true + autoscaling: + # -- Enable autoscaling for the gateway + enabled: false + # -- Minimum autoscaling replicas for the gateway + minReplicas: 1 + # -- Maximum autoscaling replicas for the gateway + maxReplicas: 3 + # -- Target CPU utilisation percentage for the gateway + targetCPUUtilizationPercentage: 60 + # -- Target memory utilisation percentage for the gateway + targetMemoryUtilizationPercentage: + # -- See `kubectl explain deployment.spec.strategy` for more + # -- ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # -- Behavior policies while scaling. + behavior: {} + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 60 + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + deploymentStrategy: + type: RollingUpdate + image: + # -- The Docker registry for the gateway image + registry: docker.io + # -- The gateway image repository + repository: nginxinc/nginx-unprivileged + # -- The gateway image tag + tag: 1.19-alpine + # -- Overrides the gateway image tag with an image digest + digest: null + # -- The gateway image pull policy + pullPolicy: IfNotPresent + # -- The name of the PriorityClass for gateway pods + priorityClassName: null + # -- Annotations for gateway deployment + annotations: {} + # -- Annotations for gateway pods + podAnnotations: {} + # -- Additional labels for gateway pods + podLabels: {} + # -- Additional CLI args for the gateway + extraArgs: [] + # -- Environment variables to add to the gateway pods + extraEnv: [] + # -- Environment variables from secrets or configmaps to add to the gateway pods + extraEnvFrom: [] + # -- Lifecycle for the gateway container + lifecycle: {} + # -- Volumes to add to the gateway pods + extraVolumes: [] + # -- Volume mounts to add to the gateway pods + extraVolumeMounts: [] + # -- The SecurityContext for gateway containers + podSecurityContext: + fsGroup: 101 + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + # -- The SecurityContext for gateway containers + containerSecurityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + # -- Resource requests and limits for the gateway + resources: {} + # -- Grace period to allow the gateway to shutdown before it is killed + terminationGracePeriodSeconds: 30 + # -- Affinity for gateway pods. Passed through `tpl` and, thus, to be configured as string + # @default -- Hard node and soft zone anti-affinity + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- include "loki.gatewaySelectorLabels" . | nindent 10 }} + topologyKey: kubernetes.io/hostname + # -- Node selector for gateway pods + nodeSelector: {} + # -- Tolerations for gateway pods + tolerations: [] + # Gateway service configuration + service: + # -- Port of the gateway service + port: 80 + # -- Type of the gateway service + type: ClusterIP + # -- ClusterIP of the gateway service + clusterIP: null + # -- (int) Node port if service type is NodePort + nodePort: null + # -- Load balancer IPO address if service type is LoadBalancer + loadBalancerIP: null + # -- Annotations for the gateway service + annotations: {} + # -- Labels for gateway service + labels: {} + # Gateway ingress configuration + ingress: + # -- Specifies whether an ingress for the gateway should be created + enabled: false + # -- Ingress Class Name. MAY be required for Kubernetes versions >= 1.18 + ingressClassName: "" + # -- Annotations for the gateway ingress + annotations: {} + # -- Labels for the gateway ingress + labels: {} + # -- Hosts configuration for the gateway ingress + hosts: + - host: gateway.loki.example.com + paths: + - path: / + # -- pathType (e.g. ImplementationSpecific, Prefix, .. etc.) might also be required by some Ingress Controllers + # pathType: Prefix + # -- TLS configuration for the gateway ingress + tls: + - secretName: loki-gateway-tls + hosts: + - gateway.loki.example.com + # Basic auth configuration + basicAuth: + # -- Enables basic authentication for the gateway + enabled: false + # -- The basic auth username for the gateway + username: null + # -- The basic auth password for the gateway + password: null + # -- Uses the specified users from the `loki.tenants` list to create the htpasswd file + # if `loki.tenants` is not set, the `gateway.basicAuth.username` and `gateway.basicAuth.password` are used + # The value is templated using `tpl`. Override this to use a custom htpasswd, e.g. in case the default causes + # high CPU load. + htpasswd: >- + {{ if .Values.loki.tenants }} + + + {{- range $t := .Values.loki.tenants }} + {{ htpasswd (required "All tenants must have a 'name' set" $t.name) (required "All tenants must have a 'password' set" $t.password) }} + + + {{- end }} + {{ else }} {{ htpasswd (required "'gateway.basicAuth.username' is required" .Values.gateway.basicAuth.username) (required "'gateway.basicAuth.password' is required" .Values.gateway.basicAuth.password) }} {{ end }} + # -- Existing basic auth secret to use. Must contain '.htpasswd' + existingSecret: null + # Configures the readiness probe for the gateway + readinessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 15 + timeoutSeconds: 1 + nginxConfig: + # -- NGINX log format + logFormat: |- + main '$remote_addr - $remote_user [$time_local] $status ' + '"$request" $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + # -- Allows appending custom configuration to the server block + serverSnippet: "" + # -- Allows appending custom configuration to the http block, passed through the `tpl` function to allow templating + httpSnippet: >- + {{ if .Values.loki.tenants }}proxy_set_header X-Scope-OrgID $remote_user;{{ end }} + # -- Override Read URL + customReadUrl: null + # -- Override Write URL + customWriteUrl: null + # -- Override Backend URL + customBackendUrl: null + # -- Config file contents for Nginx. Passed through the `tpl` function to allow templating + # @default -- See values.yaml + file: | + {{- include "loki.nginxFile" . | indent 2 -}} +networkPolicy: + # -- Specifies whether Network Policies should be created + enabled: false + metrics: + # -- Specifies the Pods which are allowed to access the metrics port. + # As this is cross-namespace communication, you also need the namespaceSelector. + podSelector: {} + # -- Specifies the namespaces which are allowed to access the metrics port + namespaceSelector: {} + # -- Specifies specific network CIDRs which are allowed to access the metrics port. + # In case you use namespaceSelector, you also have to specify your kubelet networks here. + # The metrics ports are also used for probes. + cidrs: [] + ingress: + # -- Specifies the Pods which are allowed to access the http port. + # As this is cross-namespace communication, you also need the namespaceSelector. + podSelector: {} + # -- Specifies the namespaces which are allowed to access the http port + namespaceSelector: {} + alertmanager: + # -- Specify the alertmanager port used for alerting + port: 9093 + # -- Specifies the alertmanager Pods. + # As this is cross-namespace communication, you also need the namespaceSelector. + podSelector: {} + # -- Specifies the namespace the alertmanager is running in + namespaceSelector: {} + externalStorage: + # -- Specify the port used for external storage, e.g. AWS S3 + ports: [] + # -- Specifies specific network CIDRs you want to limit access to + cidrs: [] + discovery: + # -- (int) Specify the port used for discovery + port: null + # -- Specifies the Pods labels used for discovery. + # As this is cross-namespace communication, you also need the namespaceSelector. + podSelector: {} + # -- Specifies the namespace the discovery Pods are running in + namespaceSelector: {} +tracing: + jaegerAgentHost: "" +# ------------------------------------- +# Configuration for `minio` child chart +# ------------------------------------- +minio: + enabled: false + replicas: 1 + # Minio requires 2 to 16 drives for erasure code (drivesPerNode * replicas) + # https://docs.min.io/docs/minio-erasure-code-quickstart-guide + # Since we only have 1 replica, that means 2 drives must be used. + drivesPerNode: 2 + rootUser: enterprise-logs + rootPassword: supersecret + buckets: + - name: chunks + policy: none + purge: false + - name: ruler + policy: none + purge: false + - name: admin + policy: none + purge: false + persistence: + size: 5Gi + resources: + requests: + cpu: 100m + memory: 128Mi +# Create extra manifests via values. Would be passed through `tpl` for templating +extraObjects: [] +# - apiVersion: v1 +# kind: ConfigMap +# metadata: +# name: loki-alerting-rules +# data: +# loki-alerting-rules.yaml: |- +# groups: +# - name: example +# rules: +# - alert: example +# expr: | +# sum(count_over_time({app="loki"} |~ "error")) > 0 +# for: 3m +# labels: +# severity: warning +# category: logs +# annotations: +# message: "loki has encountered errors" diff --git a/yaml/monitoring/loki-v12-values-short.yaml b/yaml/monitoring/loki-v12-values-short.yaml new file mode 100644 index 0000000..4021460 --- /dev/null +++ b/yaml/monitoring/loki-v12-values-short.yaml @@ -0,0 +1,1468 @@ +global: + image: + # -- Overrides the Docker registry globally for all images + registry: null + # -- Overrides the priorityClassName for all pods + priorityClassName: null + # -- configures cluster domain ("cluster.local" by default) + clusterDomain: "cluster.local" + # -- configures DNS service name + dnsService: "kube-dns" + # -- configures DNS service namespace + dnsNamespace: "kube-system" +# -- Overrides the chart's name +nameOverride: null +# -- Overrides the chart's computed fullname +fullnameOverride: null +# -- Overrides the chart's cluster label +clusterLabelOverride: null +# -- Image pull secrets for Docker images +imagePullSecrets: [] +kubectlImage: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: bitnami/kubectl + # -- Overrides the image tag whose default is the chart's appVersion + tag: null + # -- Overrides the image tag with an image digest + digest: null + # -- Docker image pull policy + pullPolicy: IfNotPresent +loki: + # Configures the readiness probe for all of the Loki pods + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 30 + timeoutSeconds: 1 + image: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: grafana/loki + # -- Overrides the image tag whose default is the chart's appVersion + # TODO: needed for 3rd target backend functionality + # revert to null or latest once this behavior is relased + tag: null + # -- Overrides the image tag with an image digest + digest: null + # -- Docker image pull policy + pullPolicy: IfNotPresent + # -- Common annotations for all deployments/StatefulSets + annotations: {} + # -- Common annotations for all pods + podAnnotations: {} + # -- Common labels for all pods + podLabels: {} + # -- The number of old ReplicaSets to retain to allow rollback + revisionHistoryLimit: 10 + # -- The SecurityContext for Loki pods + podSecurityContext: + fsGroup: 10001 + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + # -- The SecurityContext for Loki containers + containerSecurityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + # -- Should enableServiceLinks be enabled. Default to enable + enableServiceLinks: true + # -- Specify an existing secret containing loki configuration. If non-empty, overrides `loki.config` + existingSecretForConfig: "" + # -- Defines what kind of object stores the configuration, a ConfigMap or a Secret. + # In order to move sensitive information (such as credentials) from the ConfigMap/Secret to a more secure location (e.g. vault), it is possible to use [environment variables in the configuration](https://grafana.com/docs/loki/latest/configuration/#use-environment-variables-in-the-configuration). + # Such environment variables can be then stored in a separate Secret and injected via the global.extraEnvFrom value. For details about environment injection from a Secret please see [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/#use-case-as-container-environment-variables). + configStorageType: ConfigMap + # -- Name of the Secret or ConfigMap that contains the configuration (used for naming even if config is internal). + externalConfigSecretName: '{{ include "loki.name" . }}' + # -- Config file contents for Loki + # @default -- See values.yaml + config: | + {{- if .Values.enterprise.enabled}} + {{- tpl .Values.enterprise.config . }} + {{- else }} + auth_enabled: {{ .Values.loki.auth_enabled }} + {{- end }} + + {{- with .Values.loki.server }} + server: + {{- toYaml . | nindent 2}} + {{- end}} + + memberlist: + {{- if .Values.loki.extraMemberlistConfig}} + {{- toYaml .Values.loki.extraMemberlistConfig | nindent 2}} + {{- end }} + join_members: + - {{ include "loki.memberlist" . }} + {{- with .Values.migrate.fromDistributed }} + {{- if .enabled }} + - {{ .memberlistService }} + {{- end }} + {{- end }} + + {{- with .Values.loki.ingester }} + ingester: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- if .Values.loki.commonConfig}} + common: + {{- toYaml .Values.loki.commonConfig | nindent 2}} + storage: + {{- include "loki.commonStorageConfig" . | nindent 4}} + {{- end}} + + {{- with .Values.loki.limits_config }} + limits_config: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + runtime_config: + file: /etc/loki/runtime-config/runtime-config.yaml + + {{- with .Values.loki.memcached.chunk_cache }} + {{- if and .enabled (or .host .addresses) }} + chunk_store_config: + chunk_cache_config: + memcached: + batch_size: {{ .batch_size }} + parallelism: {{ .parallelism }} + memcached_client: + {{- if .host }} + host: {{ .host }} + {{- end }} + {{- if .addresses }} + addresses: {{ .addresses }} + {{- end }} + service: {{ .service }} + {{- end }} + {{- end }} + + {{- if .Values.loki.schemaConfig}} + schema_config: + {{- toYaml .Values.loki.schemaConfig | nindent 2}} + {{- else }} + schema_config: + configs: + - from: 2022-01-11 + store: boltdb-shipper + object_store: {{ .Values.loki.storage.type }} + schema: v12 + index: + prefix: loki_index_ + period: 24h + {{- end }} + + {{ include "loki.rulerConfig" . }} + + table_manager: + retention_deletes_enabled: {{ .Values.tableManager.retention_deletes_enabled }} + retention_period: {{ .Values.tableManager.retention_period }} + + {{- with .Values.loki.memcached.results_cache }} + query_range: + align_queries_with_step: true + {{- if and .enabled (or .host .addresses) }} + cache_results: {{ .enabled }} + results_cache: + cache: + default_validity: {{ .default_validity }} + memcached_client: + {{- if .host }} + host: {{ .host }} + {{- end }} + {{- if .addresses }} + addresses: {{ .addresses }} + {{- end }} + service: {{ .service }} + timeout: {{ .timeout }} + {{- end }} + {{- end }} + + {{- with .Values.loki.storage_config }} + storage_config: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- with .Values.loki.query_scheduler }} + query_scheduler: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- with .Values.loki.compactor }} + compactor: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- with .Values.loki.analytics }} + analytics: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- with .Values.loki.querier }} + querier: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- with .Values.loki.index_gateway }} + index_gateway: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- with .Values.loki.frontend }} + frontend: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + + {{- with .Values.loki.frontend_worker }} + frontend_worker: + {{- tpl (. | toYaml) $ | nindent 4 }} + {{- end }} + # Should authentication be enabled + auth_enabled: false + # Extra memberlist configuration + extraMemberlistConfig: {} + # -- Tenants list to be created on nginx htpasswd file, with name and password keys + tenants: [] + # -- Check https://grafana.com/docs/loki/latest/configuration/#server for more info on the server configuration. + server: + http_listen_port: 3100 + grpc_listen_port: 9095 + # -- Limits config + limits_config: + enforce_metric_name: false + reject_old_samples: true + reject_old_samples_max_age: 168h + retention_period: 336h + retention_stream: + - selector: '{namespace="ingress-nginx"}' + priority: 1 + period: 24h + - selector: '{app="abios-sync"}' + priority: 1 + period: 24h + - selector: '{app="ingress-nginx"}' + priority: 1 + period: 24h + - selector: '{app="matches"}' + priority: 1 + period: 24h + - selector: '{app="socket-server"}' + priority: 1 + period: 24h + + # -- Provides a reloadable runtime configuration file for some specific configuration + runtimeConfig: {} + # -- Check https://grafana.com/docs/loki/latest/configuration/#common_config for more info on how to provide a common configuration + commonConfig: + path_prefix: /var/loki + replication_factor: 1 + compactor_address: '{{ include "loki.compactorAddress" . }}' + # -- Storage config. Providing this will automatically populate all necessary storage configs in the templated config. + storage: + bucketNames: + chunks: chunks + ruler: ruler + admin: admin + type: filesystem + s3: + s3: null + endpoint: null + region: null + secretAccessKey: null + accessKeyId: null + signatureVersion: null + s3ForcePathStyle: false + insecure: false + http_config: {} + gcs: + chunkBufferSize: 0 + requestTimeout: "0s" + enableHttp2: true + azure: + accountName: null + accountKey: null + useManagedIdentity: false + useFederatedToken: false + userAssignedId: null + requestTimeout: null + filesystem: + chunks_directory: /var/loki/chunks + rules_directory: /var/loki/rules + boltdb_shipper: + active_index_directory: /var/loki/boltdb-shipper-active + cache_location: /var/loki/boltdb-shipper-cache + cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space + shared_store: filesystem + # -- Configure memcached as an external cache for chunk and results cache. Disabled by default + # must enable and specify a host for each cache you would like to use. + memcached: + chunk_cache: + enabled: false + host: "" + service: "memcached-client" + batch_size: 256 + parallelism: 10 + results_cache: + enabled: false + host: "" + service: "memcached-client" + timeout: "500ms" + default_validity: "12h" + # -- Check https://grafana.com/docs/loki/latest/configuration/#schema_config for more info on how to configure schemas + schemaConfig: + configs: + - from: 2020-10-24 + store: boltdb-shipper + object_store: filesystem + schema: v11 + index: + prefix: index_ + period: 24h + - from: 2023-06-13 + store: boltdb-shipper + object_store: filesystem + schema: v12 + index: + prefix: index_ + period: 24h + # -- Check https://grafana.com/docs/loki/latest/configuration/#ruler for more info on configuring ruler + rulerConfig: {} + # -- Structured loki configuration, takes precedence over `loki.config`, `loki.schemaConfig`, `loki.storageConfig` + structuredConfig: {} + # -- Additional query scheduler config + query_scheduler: {} + # -- Additional storage config + storage_config: + hedging: + at: "250ms" + max_per_second: 20 + up_to: 3 + # -- Optional compactor configuration + compactor: + working_directory: /var/loki/boltdb-shipper-compactor + shared_store: filesystem + retention_enabled: true + # -- Optional analytics configuration + analytics: {} + # -- Optional querier configuration + querier: {} + # -- Optional ingester configuration + ingester: + chunk_idle_period: 3m + chunk_block_size: 262144 + chunk_retain_period: 1m + max_transfer_retries: 0 + wal: + dir: /var/loki/wal + lifecycler: + ring: + kvstore: + store: inmemory + replication_factor: 1 + + # -- Optional index gateway configuration + index_gateway: + mode: ring + frontend: + scheduler_address: '{{ include "loki.querySchedulerAddress" . }}' + frontend_worker: + scheduler_address: '{{ include "loki.querySchedulerAddress" . }}' +enterprise: + # Enable enterprise features, license must be provided + enabled: false + # Default verion of GEL to deploy + version: v1.7.2 + # -- Optional name of the GEL cluster, otherwise will use .Release.Name + # The cluster name must match what is in your GEL license + cluster_name: null + # -- Grafana Enterprise Logs license + # In order to use Grafana Enterprise Logs features, you will need to provide + # the contents of your Grafana Enterprise Logs license, either by providing the + # contents of the license.jwt, or the name Kubernetes Secret that contains your + # license.jwt. + # To set the license contents, use the flag `--set-file 'enterprise.license.contents=./license.jwt'` + license: + contents: "NOTAVALIDLICENSE" + # -- Set to true when providing an external license + useExternalLicense: false + # -- Name of external license secret to use + externalLicenseName: null + # -- Name of the external config secret to use + externalConfigName: "" + # -- If enabled, the correct admin_client storage will be configured. If disabled while running enterprise, + # make sure auth is set to `type: trust`, or that `auth_enabled` is set to `false`. + adminApi: + enabled: true + # enterprise specific sections of the config.yaml file + config: | + {{- if .Values.enterprise.adminApi.enabled }} + {{- if or .Values.minio.enabled (eq .Values.loki.storage.type "s3") (eq .Values.loki.storage.type "gcs") (eq .Values.loki.storage.type "azure") }} + admin_client: + storage: + s3: + bucket_name: {{ .Values.loki.storage.bucketNames.admin }} + {{- end }} + {{- end }} + auth: + type: {{ .Values.enterprise.adminApi.enabled | ternary "enterprise" "trust" }} + auth_enabled: {{ .Values.loki.auth_enabled }} + cluster_name: {{ include "loki.clusterName" . }} + license: + path: /etc/loki/license/license.jwt + image: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: grafana/enterprise-logs + # -- Docker image tag + tag: null + # -- Overrides the image tag with an image digest + digest: null + # -- Docker image pull policy + pullPolicy: IfNotPresent + adminToken: + # -- Alternative name for admin token secret, needed by tokengen and provisioner jobs + secret: null + # -- Additional namespace to also create the token in. Useful if your Grafana instance + # is in a different namespace + additionalNamespaces: [] + # -- Alternative name of the secret to store token for the canary + canarySecret: null + # -- Configuration for `tokengen` target + tokengen: + # -- Whether the job should be part of the deployment + enabled: true + # -- Comma-separated list of Loki modules to load for tokengen + targetModule: "tokengen" + # -- Additional CLI arguments for the `tokengen` target + extraArgs: [] + # -- Additional Kubernetes environment + env: [] + # -- Additional labels for the `tokengen` Job + labels: {} + # -- Additional annotations for the `tokengen` Job + annotations: {} + # -- Tolerations for tokengen Job + tolerations: [] + # -- Additional volumes for Pods + extraVolumes: [] + # -- Additional volume mounts for Pods + extraVolumeMounts: [] + # -- Run containers as user `enterprise-logs(uid=10001)` + securityContext: + runAsNonRoot: true + runAsGroup: 10001 + runAsUser: 10001 + fsGroup: 10001 + # -- Environment variables from secrets or configmaps to add to the tokengen pods + extraEnvFrom: [] + # -- The name of the PriorityClass for tokengen Pods + priorityClassName: "" + # -- Configuration for `provisioner` target + provisioner: + # -- Whether the job should be part of the deployment + enabled: true + # -- Name of the secret to store provisioned tokens in + provisionedSecretPrefix: null + # -- Additional tenants to be created. Each tenant will get a read and write policy + # and associated token. Tenant must have a name and a namespace for the secret containting + # the token to be created in. For example + # additionalTenants: + # - name: loki + # secretNamespace: grafana + additionalTenants: [] + # -- Additional Kubernetes environment + env: [] + # -- Additional labels for the `provisioner` Job + labels: {} + # -- Additional annotations for the `provisioner` Job + annotations: {} + # -- The name of the PriorityClass for provisioner Job + priorityClassName: null + # -- Run containers as user `enterprise-logs(uid=10001)` + securityContext: + runAsNonRoot: true + runAsGroup: 10001 + runAsUser: 10001 + fsGroup: 10001 + # -- Provisioner image to Utilize + image: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: grafana/enterprise-logs-provisioner + # -- Overrides the image tag whose default is the chart's appVersion + tag: null + # -- Overrides the image tag with an image digest + digest: null + # -- Docker image pull policy + pullPolicy: IfNotPresent + # -- Volume mounts to add to the provisioner pods + extraVolumeMounts: [] +# -- Options that may be necessary when performing a migration from another helm chart +migrate: + # -- When migrating from a distributed chart like loki-distributed or enterprise-logs + fromDistributed: + # -- Set to true if migrating from a distributed helm chart + enabled: false + # -- If migrating from a distributed service, provide the distributed deployment's + # memberlist service DNS so the new deployment can join its ring. + memberlistService: "" +serviceAccount: + # -- Specifies whether a ServiceAccount should be created + create: true + # -- The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: null + # -- Image pull secrets for the service account + imagePullSecrets: [] + # -- Annotations for the service account + annotations: {} + # -- Labels for the service account + labels: {} + # -- Set this toggle to false to opt out of automounting API credentials for the service account + automountServiceAccountToken: true +# RBAC configuration +rbac: + # -- If pspEnabled true, a PodSecurityPolicy is created for K8s that use psp. + pspEnabled: false + # -- For OpenShift set pspEnabled to 'false' and sccEnabled to 'true' to use the SecurityContextConstraints. + sccEnabled: false +# -- Section for configuring optional Helm test +test: + enabled: false + # -- Address of the prometheus server to query for the test + prometheusAddress: "http://prometheus:9090" + # -- Number of times to retry the test before failing + timeout: 1m + # -- Additional labels for the test pods + labels: {} + # -- Additional annotations for test pods + annotations: {} + # -- Image to use for loki canary + image: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: grafana/loki-helm-test + # -- Overrides the image tag whose default is the chart's appVersion + tag: null + # -- Overrides the image tag with an image digest + digest: null + # -- Docker image pull policy + pullPolicy: IfNotPresent +# Monitoring section determines which monitoring features to enable +monitoring: + # Dashboards for monitoring Loki + dashboards: + # -- If enabled, create configmap with dashboards for monitoring Loki + enabled: false + # -- Alternative namespace to create dashboards ConfigMap in + namespace: null + # -- Additional annotations for the dashboards ConfigMap + annotations: {} + # -- Labels for the dashboards ConfigMap + labels: + grafana_dashboard: "1" + # Recording rules for monitoring Loki, required for some dashboards + rules: + # -- If enabled, create PrometheusRule resource with Loki recording rules + enabled: false + # -- Include alerting rules + alerting: true + # -- Alternative namespace to create PrometheusRule resources in + namespace: null + # -- Additional annotations for the rules PrometheusRule resource + annotations: {} + # -- Additional labels for the rules PrometheusRule resource + labels: {} + # -- Additional groups to add to the rules file + additionalGroups: [] + # - name: additional-loki-rules + # rules: + # - record: job:loki_request_duration_seconds_bucket:sum_rate + # expr: sum(rate(loki_request_duration_seconds_bucket[1m])) by (le, job) + # - record: job_route:loki_request_duration_seconds_bucket:sum_rate + # expr: sum(rate(loki_request_duration_seconds_bucket[1m])) by (le, job, route) + # - record: node_namespace_pod_container:container_cpu_usage_seconds_total:sum_rate + # expr: sum(rate(container_cpu_usage_seconds_total[1m])) by (node, namespace, pod, container) + # ServiceMonitor configuration + serviceMonitor: + # -- If enabled, ServiceMonitor resources for Prometheus Operator are created + enabled: false + # -- Namespace selector for ServiceMonitor resources + namespaceSelector: {} + # -- ServiceMonitor annotations + annotations: {} + # -- Additional ServiceMonitor labels + labels: {} + # -- ServiceMonitor scrape interval + # Default is 15s because included recording rules use a 1m rate, and scrape interval needs to be at + # least 1/4 rate interval. + interval: 15s + # -- ServiceMonitor scrape timeout in Go duration format (e.g. 15s) + scrapeTimeout: null + # -- ServiceMonitor relabel configs to apply to samples before scraping + # https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + relabelings: [] + # -- ServiceMonitor will use http by default, but you can pick https as well + scheme: http + # -- ServiceMonitor will use these tlsConfig settings to make the health check requests + tlsConfig: null + # -- If defined, will create a MetricsInstance for the Grafana Agent Operator. + metricsInstance: + # -- If enabled, MetricsInstance resources for Grafana Agent Operator are created + enabled: true + # -- MetricsInstance annotations + annotations: {} + # -- Additional MetricsInstance labels + labels: {} + # -- If defined a MetricsInstance will be created to remote write metrics. + remoteWrite: null + # Self monitoring determines whether Loki should scrape its own logs. + # This feature currently relies on the Grafana Agent Operator being installed, + # which is installed by default using the grafana-agent-operator sub-chart. + # It will create custom resources for GrafanaAgent, LogsInstance, and PodLogs to configure + # scrape configs to scrape its own logs with the labels expected by the included dashboards. + selfMonitoring: + enabled: false + # -- Tenant to use for self monitoring + tenant: + # -- Name of the tenant + name: "self-monitoring" + # -- Namespace to create additional tenant token secret in. Useful if your Grafana instance + # is in a separate namespace. Token will still be created in the canary namespace. + secretNamespace: "{{ .Release.Namespace }}" + # Grafana Agent configuration + grafanaAgent: + # -- Controls whether to install the Grafana Agent Operator and its CRDs. + # Note that helm will not install CRDs if this flag is enabled during an upgrade. + # In that case install the CRDs manually from https://github.com/grafana/agent/tree/main/production/operator/crds + installOperator: true + # -- Grafana Agent annotations + annotations: {} + # -- Additional Grafana Agent labels + labels: {} + # -- Enable the config read api on port 8080 of the agent + enableConfigReadAPI: false + # PodLogs configuration + podLogs: + # -- PodLogs annotations + annotations: {} + # -- Additional PodLogs labels + labels: {} + # -- PodLogs relabel configs to apply to samples before scraping + # https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + relabelings: [] + # LogsInstance configuration + logsInstance: + # -- LogsInstance annotations + annotations: {} + # -- Additional LogsInstance labels + labels: {} + # -- Additional clients for remote write + clients: null + # The Loki canary pushes logs to and queries from this loki installation to test + # that it's working correctly + lokiCanary: + enabled: false + # -- Additional annotations for the `loki-canary` Daemonset + annotations: {} + # -- Additional CLI arguments for the `loki-canary' command + extraArgs: [] + # -- Environment variables to add to the canary pods + extraEnv: [] + # -- Environment variables from secrets or configmaps to add to the canary pods + extraEnvFrom: [] + # -- Resource requests and limits for the canary + resources: {} + # -- Node selector for canary pods + nodeSelector: {} + # -- Tolerations for canary pods + tolerations: [] + # -- Image to use for loki canary + image: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: grafana/loki-canary + # -- Overrides the image tag whose default is the chart's appVersion + tag: null + # -- Overrides the image tag with an image digest + digest: null + # -- Docker image pull policy + pullPolicy: IfNotPresent +# Configuration for the write pod(s) +write: + # -- Number of replicas for the write + replicas: 0 + autoscaling: + # -- Enable autoscaling for the write. + enabled: false + # -- Minimum autoscaling replicas for the write. + minReplicas: 1 + # -- Maximum autoscaling replicas for the write. + maxReplicas: 3 + # -- Target CPU utilisation percentage for the write. + targetCPUUtilizationPercentage: 60 + # -- Target memory utilization percentage for the write. + targetMemoryUtilizationPercentage: + # -- Behavior policies while scaling. + behavior: + # -- see https://github.com/grafana/loki/blob/main/docs/sources/operations/storage/wal.md#how-to-scale-updown for scaledown details + scaleUp: + policies: + - type: Pods + value: 1 + periodSeconds: 900 + scaleDown: + policies: + - type: Pods + value: 1 + periodSeconds: 1800 + stabilizationWindowSeconds: 3600 + image: + # -- The Docker registry for the write image. Overrides `loki.image.registry` + registry: null + # -- Docker image repository for the write image. Overrides `loki.image.repository` + repository: null + # -- Docker image tag for the write image. Overrides `loki.image.tag` + tag: null + # -- The name of the PriorityClass for write pods + priorityClassName: null + # -- Annotations for write StatefulSet + annotations: {} + # -- Annotations for write pods + podAnnotations: {} + # -- Additional labels for each `write` pod + podLabels: {} + # -- Additional selector labels for each `write` pod + selectorLabels: {} + # -- Labels for ingester service + serviceLabels: {} + # -- Comma-separated list of Loki modules to load for the write + targetModule: "write" + # -- Additional CLI args for the write + extraArgs: [] + # -- Environment variables to add to the write pods + extraEnv: [] + # -- Environment variables from secrets or configmaps to add to the write pods + extraEnvFrom: [] + # -- Lifecycle for the write container + lifecycle: {} + # -- The default /flush_shutdown preStop hook is recommended as part of the ingester + # scaledown process so it's added to the template by default when autoscaling is enabled, + # but it's disabled to optimize rolling restarts in instances that will never be scaled + # down or when using chunks storage with WAL disabled. + # https://github.com/grafana/loki/blob/main/docs/sources/operations/storage/wal.md#how-to-scale-updown + # -- Init containers to add to the write pods + initContainers: [] + # -- Volume mounts to add to the write pods + extraVolumeMounts: [] + # -- Volumes to add to the write pods + extraVolumes: [] + # -- volumeClaimTemplates to add to StatefulSet + extraVolumeClaimTemplates: [] + # -- Resource requests and limits for the write + resources: {} + # -- Grace period to allow the write to shutdown before it is killed. Especially for the ingester, + # this must be increased. It must be long enough so writes can be gracefully shutdown flushing/transferring + # all data and to successfully leave the member ring on shutdown. + terminationGracePeriodSeconds: 300 + # -- Affinity for write pods. Passed through `tpl` and, thus, to be configured as string + # @default -- Hard node and soft zone anti-affinity + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- include "loki.writeSelectorLabels" . | nindent 10 }} + topologyKey: kubernetes.io/hostname + # -- Node selector for write pods + nodeSelector: {} + # -- Tolerations for write pods + tolerations: [] + # -- The default is to deploy all pods in parallel. + podManagementPolicy: "Parallel" + persistence: + # -- Enable StatefulSetAutoDeletePVC feature + enableStatefulSetAutoDeletePVC: false + # -- Size of persistent disk + size: 10Gi + # -- Storage class to be used. + # If defined, storageClassName: . + # If set to "-", storageClassName: "", which disables dynamic provisioning. + # If empty or set to null, no storageClassName spec is + # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS, and OpenStack). + storageClass: null + # -- Selector for persistent disk + selector: null +# Configuration for the table-manager +tableManager: + # -- Specifies whether the table-manager should be enabled + enabled: false + image: + # -- The Docker registry for the table-manager image. Overrides `loki.image.registry` + registry: null + # -- Docker image repository for the table-manager image. Overrides `loki.image.repository` + repository: null + # -- Docker image tag for the table-manager image. Overrides `loki.image.tag` + tag: null + # -- Command to execute instead of defined in Docker image + command: null + # -- The name of the PriorityClass for table-manager pods + priorityClassName: null + # -- Labels for table-manager pods + podLabels: {} + # -- Annotations for table-manager deployment + annotations: {} + # -- Annotations for table-manager pods + podAnnotations: {} + # -- Labels for table-manager service + serviceLabels: {} + # -- Additional CLI args for the table-manager + extraArgs: [] + # -- Environment variables to add to the table-manager pods + extraEnv: [] + # -- Environment variables from secrets or configmaps to add to the table-manager pods + extraEnvFrom: [] + # -- Volume mounts to add to the table-manager pods + extraVolumeMounts: [] + # -- Volumes to add to the table-manager pods + extraVolumes: [] + # -- Resource requests and limits for the table-manager + resources: {} + # -- Containers to add to the table-manager pods + extraContainers: [] + # -- Grace period to allow the table-manager to shutdown before it is killed + terminationGracePeriodSeconds: 30 + # -- Affinity for table-manager pods. Passed through `tpl` and, thus, to be configured as string + # @default -- Hard node and soft zone anti-affinity + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- include "loki.tableManagerSelectorLabels" . | nindent 10 }} + topologyKey: kubernetes.io/hostname + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchLabels: + {{- include "loki.tableManagerSelectorLabels" . | nindent 12 }} + topologyKey: failure-domain.beta.kubernetes.io/zone + # -- Node selector for table-manager pods + nodeSelector: {} + # -- Tolerations for table-manager pods + tolerations: [] + # -- Enable deletes by retention + retention_deletes_enabled: true + # -- Set retention period + retention_period: 336h + +# Configuration for the read pod(s) +read: + # -- Number of replicas for the read + replicas: 0 + autoscaling: + # -- Enable autoscaling for the read, this is only used if `queryIndex.enabled: true` + enabled: false + # -- Minimum autoscaling replicas for the read + minReplicas: 1 + # -- Maximum autoscaling replicas for the read + maxReplicas: 3 + # -- Target CPU utilisation percentage for the read + targetCPUUtilizationPercentage: 60 + # -- Target memory utilisation percentage for the read + targetMemoryUtilizationPercentage: + # -- Behavior policies while scaling. + behavior: {} + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 60 + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + image: + # -- The Docker registry for the read image. Overrides `loki.image.registry` + registry: null + # -- Docker image repository for the read image. Overrides `loki.image.repository` + repository: null + # -- Docker image tag for the read image. Overrides `loki.image.tag` + tag: null + # -- The name of the PriorityClass for read pods + priorityClassName: null + # -- Annotations for read deployment + annotations: {} + # -- Annotations for read pods + podAnnotations: {} + # -- Additional labels for each `read` pod + podLabels: {} + # -- Additional selector labels for each `read` pod + selectorLabels: {} + # -- Labels for read service + serviceLabels: {} + # -- Comma-separated list of Loki modules to load for the read + targetModule: "read" + # -- Whether or not to use the 2 target type simple scalable mode (read, write) or the + # 3 target type (read, write, backend). Legacy refers to the 2 target type, so true will + # run two targets, false will run 3 targets. + legacyReadTarget: false + # -- Additional CLI args for the read + extraArgs: [] + # -- Environment variables to add to the read pods + extraEnv: [] + # -- Environment variables from secrets or configmaps to add to the read pods + extraEnvFrom: [] + # -- Lifecycle for the read container + lifecycle: {} + # -- Volume mounts to add to the read pods + extraVolumeMounts: [] + # -- Volumes to add to the read pods + extraVolumes: [] + # -- Resource requests and limits for the read + resources: {} + # -- Grace period to allow the read to shutdown before it is killed + terminationGracePeriodSeconds: 30 + # -- Affinity for read pods. Passed through `tpl` and, thus, to be configured as string + # @default -- Hard node and soft zone anti-affinity + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- include "loki.readSelectorLabels" . | nindent 10 }} + topologyKey: kubernetes.io/hostname + # -- Node selector for read pods + nodeSelector: {} + # -- Tolerations for read pods + tolerations: [] + # -- The default is to deploy all pods in parallel. + podManagementPolicy: "Parallel" + persistence: + # -- Enable StatefulSetAutoDeletePVC feature + enableStatefulSetAutoDeletePVC: true + # -- Size of persistent disk + size: 10Gi + # -- Storage class to be used. + # If defined, storageClassName: . + # If set to "-", storageClassName: "", which disables dynamic provisioning. + # If empty or set to null, no storageClassName spec is + # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS, and OpenStack). + storageClass: null + # -- Selector for persistent disk + selector: null +# Configuration for the backend pod(s) +backend: + # -- Number of replicas for the backend + replicas: 0 + autoscaling: + # -- Enable autoscaling for the backend. + enabled: false + # -- Minimum autoscaling replicas for the backend. + minReplicas: 1 + # -- Maximum autoscaling replicas for the backend. + maxReplicas: 3 + # -- Target CPU utilization percentage for the backend. + targetCPUUtilizationPercentage: 60 + # -- Target memory utilization percentage for the backend. + targetMemoryUtilizationPercentage: + # -- Behavior policies while scaling. + behavior: {} + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 60 + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + image: + # -- The Docker registry for the backend image. Overrides `loki.image.registry` + registry: null + # -- Docker image repository for the backend image. Overrides `loki.image.repository` + repository: null + # -- Docker image tag for the backend image. Overrides `loki.image.tag` + tag: null + # -- The name of the PriorityClass for backend pods + priorityClassName: null + # -- Annotations for backend StatefulSet + annotations: {} + # -- Annotations for backend pods + podAnnotations: {} + # -- Additional labels for each `backend` pod + podLabels: {} + # -- Additional selector labels for each `backend` pod + selectorLabels: {} + # -- Labels for ingester service + serviceLabels: {} + # -- Comma-separated list of Loki modules to load for the read + targetModule: "backend" + # -- Additional CLI args for the backend + extraArgs: [] + # -- Environment variables to add to the backend pods + extraEnv: [] + # -- Environment variables from secrets or configmaps to add to the backend pods + extraEnvFrom: [] + # -- Init containers to add to the backend pods + initContainers: [] + # -- Volume mounts to add to the backend pods + extraVolumeMounts: [] + # -- Volumes to add to the backend pods + extraVolumes: [] + # -- Resource requests and limits for the backend + resources: {} + # -- Grace period to allow the backend to shutdown before it is killed. Especially for the ingester, + # this must be increased. It must be long enough so backends can be gracefully shutdown flushing/transferring + # all data and to successfully leave the member ring on shutdown. + terminationGracePeriodSeconds: 300 + # -- Affinity for backend pods. Passed through `tpl` and, thus, to be configured as string + # @default -- Hard node and soft zone anti-affinity + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- include "loki.backendSelectorLabels" . | nindent 10 }} + topologyKey: kubernetes.io/hostname + # -- Node selector for backend pods + nodeSelector: {} + # -- Tolerations for backend pods + tolerations: [] + # -- The default is to deploy all pods in parallel. + podManagementPolicy: "Parallel" + persistence: + # -- Enable StatefulSetAutoDeletePVC feature + enableStatefulSetAutoDeletePVC: true + # -- Size of persistent disk + size: 10Gi + # -- Storage class to be used. + # If defined, storageClassName: . + # If set to "-", storageClassName: "", which disables dynamic provisioning. + # If empty or set to null, no storageClassName spec is + # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS, and OpenStack). + storageClass: null + # -- Selector for persistent disk + selector: null +# Configuration for the single binary node(s) +singleBinary: + # -- Number of replicas for the single binary + replicas: 1 + autoscaling: + # -- Enable autoscaling + enabled: false + # -- Minimum autoscaling replicas for the single binary + minReplicas: 1 + # -- Maximum autoscaling replicas for the single binary + maxReplicas: 3 + # -- Target CPU utilisation percentage for the single binary + targetCPUUtilizationPercentage: 60 + # -- Target memory utilisation percentage for the single binary + targetMemoryUtilizationPercentage: + image: + # -- The Docker registry for the single binary image. Overrides `loki.image.registry` + registry: null + # -- Docker image repository for the single binary image. Overrides `loki.image.repository` + repository: null + # -- Docker image tag for the single binary image. Overrides `loki.image.tag` + tag: null + # -- The name of the PriorityClass for single binary pods + priorityClassName: null + # -- Annotations for single binary StatefulSet + annotations: {} + # -- Annotations for single binary pods + podAnnotations: {} + # -- Additional labels for each `single binary` pod + podLabels: {} + # -- Additional selector labels for each `single binary` pod + selectorLabels: {} + # -- Comma-separated list of Loki modules to load for the single binary + targetModule: "all" + # -- Labels for single binary service + extraArgs: [] + # -- Environment variables to add to the single binary pods + extraEnv: [] + # -- Environment variables from secrets or configmaps to add to the single binary pods + extraEnvFrom: [] + # -- Extra containers to add to the single binary loki pod + extraContainers: [] + # -- Init containers to add to the single binary pods + initContainers: [] + # -- Volume mounts to add to the single binary pods + extraVolumeMounts: [] + # -- Volumes to add to the single binary pods + extraVolumes: [] + # -- Resource requests and limits for the single binary + resources: {} + # -- Grace period to allow the single binary to shutdown before it is killed + terminationGracePeriodSeconds: 30 + # -- Affinity for single binary pods. Passed through `tpl` and, thus, to be configured as string + # @default -- Hard node and soft zone anti-affinity + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- include "loki.singleBinarySelectorLabels" . | nindent 10 }} + topologyKey: kubernetes.io/hostname + # -- Node selector for single binary pods + nodeSelector: {} + # -- Tolerations for single binary pods + tolerations: [] + persistence: + # -- Enable StatefulSetAutoDeletePVC feature + enableStatefulSetAutoDeletePVC: true + # -- Enable persistent disk + enabled: true + # -- Size of persistent disk + size: 32Gi + # -- Storage class to be used. + # If defined, storageClassName: . + # If set to "-", storageClassName: "", which disables dynamic provisioning. + # If empty or set to null, no storageClassName spec is + # set, choosing the default provisioner (gp2 on AWS, standard on GKE, AWS, and OpenStack). + storageClass: null + # -- Selector for persistent disk + selector: null +# Use either this ingress or the gateway, but not both at once. +# If you enable this, make sure to disable the gateway. +# You'll need to supply authn configuration for your ingress controller. +ingress: + enabled: false + ingressClassName: "" + annotations: {} + # nginx.ingress.kubernetes.io/auth-type: basic + # nginx.ingress.kubernetes.io/auth-secret: loki-distributed-basic-auth + # nginx.ingress.kubernetes.io/auth-secret-type: auth-map + # nginx.ingress.kubernetes.io/configuration-snippet: | + # proxy_set_header X-Scope-OrgID $remote_user; + paths: + write: + - /api/prom/push + - /loki/api/v1/push + read: + - /api/prom/tail + - /loki/api/v1/tail + - /loki/api + - /api/prom/rules + - /loki/api/v1/rules + - /prometheus/api/v1/rules + - /prometheus/api/v1/alerts + singleBinary: + - /api/prom/push + - /loki/api/v1/push + - /api/prom/tail + - /loki/api/v1/tail + - /loki/api + - /api/prom/rules + - /loki/api/v1/rules + - /prometheus/api/v1/rules + - /prometheus/api/v1/alerts + hosts: + - loki.example.com + tls: [] +# - hosts: +# - loki.example.com +# secretName: loki-distributed-tls + +# Configuration for the memberlist service +memberlist: + service: + publishNotReadyAddresses: true +# Configuration for the gateway +gateway: + # -- Specifies whether the gateway should be enabled + enabled: false + # -- Number of replicas for the gateway + replicas: 1 + # -- Enable logging of 2xx and 3xx HTTP requests + verboseLogging: true + autoscaling: + # -- Enable autoscaling for the gateway + enabled: false + # -- Minimum autoscaling replicas for the gateway + minReplicas: 1 + # -- Maximum autoscaling replicas for the gateway + maxReplicas: 3 + # -- Target CPU utilisation percentage for the gateway + targetCPUUtilizationPercentage: 60 + # -- Target memory utilisation percentage for the gateway + targetMemoryUtilizationPercentage: + # -- See `kubectl explain deployment.spec.strategy` for more + # -- ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # -- Behavior policies while scaling. + behavior: {} + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 60 + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + deploymentStrategy: + type: RollingUpdate + image: + # -- The Docker registry for the gateway image + registry: docker.io + # -- The gateway image repository + repository: nginxinc/nginx-unprivileged + # -- The gateway image tag + tag: 1.19-alpine + # -- Overrides the gateway image tag with an image digest + digest: null + # -- The gateway image pull policy + pullPolicy: IfNotPresent + # -- The name of the PriorityClass for gateway pods + priorityClassName: null + # -- Annotations for gateway deployment + annotations: {} + # -- Annotations for gateway pods + podAnnotations: {} + # -- Additional labels for gateway pods + podLabels: {} + # -- Additional CLI args for the gateway + extraArgs: [] + # -- Environment variables to add to the gateway pods + extraEnv: [] + # -- Environment variables from secrets or configmaps to add to the gateway pods + extraEnvFrom: [] + # -- Lifecycle for the gateway container + lifecycle: {} + # -- Volumes to add to the gateway pods + extraVolumes: [] + # -- Volume mounts to add to the gateway pods + extraVolumeMounts: [] + # -- The SecurityContext for gateway containers + podSecurityContext: + fsGroup: 101 + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + # -- The SecurityContext for gateway containers + containerSecurityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + # -- Resource requests and limits for the gateway + resources: {} + # -- Grace period to allow the gateway to shutdown before it is killed + terminationGracePeriodSeconds: 30 + # -- Affinity for gateway pods. Passed through `tpl` and, thus, to be configured as string + # @default -- Hard node and soft zone anti-affinity + affinity: | + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + {{- include "loki.gatewaySelectorLabels" . | nindent 10 }} + topologyKey: kubernetes.io/hostname + # -- Node selector for gateway pods + nodeSelector: {} + # -- Tolerations for gateway pods + tolerations: [] + # Gateway service configuration + service: + # -- Port of the gateway service + port: 80 + # -- Type of the gateway service + type: ClusterIP + # -- ClusterIP of the gateway service + clusterIP: null + # -- (int) Node port if service type is NodePort + nodePort: null + # -- Load balancer IPO address if service type is LoadBalancer + loadBalancerIP: null + # -- Annotations for the gateway service + annotations: {} + # -- Labels for gateway service + labels: {} + # Gateway ingress configuration + ingress: + # -- Specifies whether an ingress for the gateway should be created + enabled: false + # -- Ingress Class Name. MAY be required for Kubernetes versions >= 1.18 + ingressClassName: "" + # -- Annotations for the gateway ingress + annotations: {} + # -- Labels for the gateway ingress + labels: {} + # -- Hosts configuration for the gateway ingress + hosts: + - host: gateway.loki.example.com + paths: + - path: / + # -- pathType (e.g. ImplementationSpecific, Prefix, .. etc.) might also be required by some Ingress Controllers + # pathType: Prefix + # -- TLS configuration for the gateway ingress + tls: + - secretName: loki-gateway-tls + hosts: + - gateway.loki.example.com + # Basic auth configuration + basicAuth: + # -- Enables basic authentication for the gateway + enabled: false + # -- The basic auth username for the gateway + username: null + # -- The basic auth password for the gateway + password: null + # -- Uses the specified users from the `loki.tenants` list to create the htpasswd file + # if `loki.tenants` is not set, the `gateway.basicAuth.username` and `gateway.basicAuth.password` are used + # The value is templated using `tpl`. Override this to use a custom htpasswd, e.g. in case the default causes + # high CPU load. + htpasswd: >- + {{ if .Values.loki.tenants }} + + + {{- range $t := .Values.loki.tenants }} + {{ htpasswd (required "All tenants must have a 'name' set" $t.name) (required "All tenants must have a 'password' set" $t.password) }} + + + {{- end }} + {{ else }} {{ htpasswd (required "'gateway.basicAuth.username' is required" .Values.gateway.basicAuth.username) (required "'gateway.basicAuth.password' is required" .Values.gateway.basicAuth.password) }} {{ end }} + # -- Existing basic auth secret to use. Must contain '.htpasswd' + existingSecret: null + # Configures the readiness probe for the gateway + readinessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 15 + timeoutSeconds: 1 + nginxConfig: + # -- NGINX log format + logFormat: |- + main '$remote_addr - $remote_user [$time_local] $status ' + '"$request" $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + # -- Allows appending custom configuration to the server block + serverSnippet: "" + # -- Allows appending custom configuration to the http block, passed through the `tpl` function to allow templating + httpSnippet: >- + {{ if .Values.loki.tenants }}proxy_set_header X-Scope-OrgID $remote_user;{{ end }} + # -- Override Read URL + customReadUrl: null + # -- Override Write URL + customWriteUrl: null + # -- Override Backend URL + customBackendUrl: null + # -- Config file contents for Nginx. Passed through the `tpl` function to allow templating + # @default -- See values.yaml + file: | + {{- include "loki.nginxFile" . | indent 2 -}} +networkPolicy: + # -- Specifies whether Network Policies should be created + enabled: false + metrics: + # -- Specifies the Pods which are allowed to access the metrics port. + # As this is cross-namespace communication, you also need the namespaceSelector. + podSelector: {} + # -- Specifies the namespaces which are allowed to access the metrics port + namespaceSelector: {} + # -- Specifies specific network CIDRs which are allowed to access the metrics port. + # In case you use namespaceSelector, you also have to specify your kubelet networks here. + # The metrics ports are also used for probes. + cidrs: [] + ingress: + # -- Specifies the Pods which are allowed to access the http port. + # As this is cross-namespace communication, you also need the namespaceSelector. + podSelector: {} + # -- Specifies the namespaces which are allowed to access the http port + namespaceSelector: {} + alertmanager: + # -- Specify the alertmanager port used for alerting + port: 9093 + # -- Specifies the alertmanager Pods. + # As this is cross-namespace communication, you also need the namespaceSelector. + podSelector: {} + # -- Specifies the namespace the alertmanager is running in + namespaceSelector: {} + externalStorage: + # -- Specify the port used for external storage, e.g. AWS S3 + ports: [] + # -- Specifies specific network CIDRs you want to limit access to + cidrs: [] + discovery: + # -- (int) Specify the port used for discovery + port: null + # -- Specifies the Pods labels used for discovery. + # As this is cross-namespace communication, you also need the namespaceSelector. + podSelector: {} + # -- Specifies the namespace the discovery Pods are running in + namespaceSelector: {} +tracing: + jaegerAgentHost: "" +# ------------------------------------- +# Configuration for `minio` child chart +# ------------------------------------- +minio: + enabled: false + replicas: 1 + # Minio requires 2 to 16 drives for erasure code (drivesPerNode * replicas) + # https://docs.min.io/docs/minio-erasure-code-quickstart-guide + # Since we only have 1 replica, that means 2 drives must be used. + drivesPerNode: 2 + rootUser: enterprise-logs + rootPassword: supersecret + buckets: + - name: chunks + policy: none + purge: false + - name: ruler + policy: none + purge: false + - name: admin + policy: none + purge: false + persistence: + size: 5Gi + resources: + requests: + cpu: 100m + memory: 128Mi +# Create extra manifests via values. Would be passed through `tpl` for templating +extraObjects: [] +# - apiVersion: v1 +# kind: ConfigMap +# metadata: +# name: loki-alerting-rules +# data: +# loki-alerting-rules.yaml: |- +# groups: +# - name: example +# rules: +# - alert: example +# expr: | +# sum(count_over_time({app="loki"} |~ "error")) > 0 +# for: 3m +# labels: +# severity: warning +# category: logs +# annotations: +# message: "loki has encountered errors" diff --git a/yaml/monitoring/loki-v12-volumes.yaml b/yaml/monitoring/loki-v12-volumes.yaml new file mode 100644 index 0000000..d4f51f8 --- /dev/null +++ b/yaml/monitoring/loki-v12-volumes.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: storage-loki-0 + namespace: loki +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: ${LOKI_STORAGE_SIZE} + volumeName: "loki-v12-data" +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: loki-v12-data +spec: + capacity: + storage: ${LOKI_STORAGE_SIZE} + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + rbd: + monitors: + - ${CEPH_MONITOR_1}:6789 + - ${CEPH_MONITOR_2}:6789 + - ${CEPH_MONITOR_3}:6789 + pool: kube + user: kube + secretRef: + name: ceph-secret-kube + namespace: kube-system + fsType: ext4 + readOnly: false + image: loki-v12-data \ No newline at end of file diff --git a/yaml/monitoring/prometheus-values.yaml b/yaml/monitoring/prometheus-values.yaml new file mode 100644 index 0000000..d0b6db3 --- /dev/null +++ b/yaml/monitoring/prometheus-values.yaml @@ -0,0 +1,1694 @@ +rbac: + create: true + +podSecurityPolicy: + enabled: false + +imagePullSecrets: +# - name: "image-pull-secret" + +## Define serviceAccount names for components. Defaults to component's fully qualified name. +## +serviceAccounts: + alertmanager: + create: true + name: + annotations: {} + nodeExporter: + create: true + name: + annotations: {} + pushgateway: + create: true + name: + annotations: {} + server: + create: true + name: + annotations: {} + +alertmanager: + ## If false, alertmanager will not be installed + ## + enabled: true + + ## Use a ClusterRole (and ClusterRoleBinding) + ## - If set to false - we define a Role and RoleBinding in the defined namespaces ONLY + ## This makes alertmanager work - for users who do not have ClusterAdmin privs, but wants alertmanager to operate on their own namespaces, instead of clusterwide. + useClusterRole: true + + ## Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. + useExistingRole: false + + ## alertmanager container name + ## + name: alertmanager + + ## alertmanager container image + ## + image: + repository: quay.io/prometheus/alertmanager + tag: v0.21.0 + pullPolicy: IfNotPresent + + ## alertmanager priorityClassName + ## + priorityClassName: "" + + ## Additional alertmanager container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug + ## so that the various internal URLs are still able to access as they are in the default case. + ## (Optional) + prefixURL: "" + + ## External URL which can access alertmanager + baseURL: "http://localhost:9093" + + ## Additional alertmanager container environment variable + ## For instance to add a http_proxy + ## + extraEnv: {} + + ## Additional alertmanager Secret mounts + # Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: alertmanager-secret-files + # readOnly: true + + ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.alertmanager.configMapOverrideName}} + ## Defining configMapOverrideName will cause templates/alertmanager-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configMapOverrideName: "" + + ## The name of a secret in the same kubernetes namespace which contains the Alertmanager config + ## Defining configFromSecret will cause templates/alertmanager-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configFromSecret: "" + + ## The configuration file name to be loaded to alertmanager + ## Must match the key within configuration loaded from ConfigMap/Secret + ## + configFileName: alertmanager.yml + + ingress: + ## If true, alertmanager Ingress will be created + ## + enabled: false + + ## alertmanager Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## alertmanager Ingress additional labels + ## + extraLabels: {} + + ## alertmanager Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - alertmanager.domain.com + # - domain.com/alertmanager + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## alertmanager Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-alerts-tls + # hosts: + # - alertmanager.domain.com + + ## Alertmanager Deployment Strategy type + # strategy: + # type: Recreate + + ## Node tolerations for alertmanager scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for alertmanager pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Pod affinity + ## + affinity: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + persistentVolume: + ## If true, alertmanager will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## + enabled: true + + ## alertmanager data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## alertmanager data Persistent Volume Claim annotations + ## + annotations: {} + + ## alertmanager data Persistent Volume existing claim name + ## Requires alertmanager.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "monitoring-prometheus-alertmanager-data" + + ## alertmanager data Persistent Volume mount root path + ## + mountPath: /data + + ## alertmanager data Persistent Volume size + ## + size: 2Gi + + ## alertmanager data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## alertmanager data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of alertmanager data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + emptyDir: + ## alertmanager emptyDir volume size limit + ## + sizeLimit: "" + + ## Annotations to be added to alertmanager pods + ## + podAnnotations: {} + ## Tell prometheus to use a specific set of alertmanager pods + ## instead of all alertmanager pods found in the same namespace + ## Useful if you deploy multiple releases within the same namespace + ## + ## prometheus.io/probe: alertmanager-teamA + + ## Labels to be added to Prometheus AlertManager pods + ## + podLabels: {} + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) + ## + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + statefulSet: + ## If true, use a statefulset instead of a deployment for pod management. + ## This allows to scale replicas to more than 1 pod + ## + enabled: false + + annotations: {} + labels: {} + podManagementPolicy: OrderedReady + + ## Alertmanager headless service to use for the statefulset + ## + headless: + annotations: {} + labels: {} + + ## Enabling peer mesh service end points for enabling the HA alert manager + ## Ref: https://github.com/prometheus/alertmanager/blob/master/README.md + enableMeshPeer: false + + servicePort: 80 + + ## alertmanager resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 10m + # memory: 32Mi + # requests: + # cpu: 10m + # memory: 32Mi + + # Custom DNS configuration to be added to alertmanager pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to alertmanager pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + + service: + annotations: {} + labels: {} + clusterIP: "" + + ## Enabling peer mesh service end points for enabling the HA alert manager + ## Ref: https://github.com/prometheus/alertmanager/blob/master/README.md + # enableMeshPeer : true + + ## List of IP addresses at which the alertmanager service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + # nodePort: 30000 + sessionAffinity: None + type: ClusterIP + +## Monitors ConfigMap changes and POSTs to a URL +## Ref: https://github.com/jimmidyson/configmap-reload +## +configmapReload: + prometheus: + ## If false, the configmap-reload container will not be deployed + ## + enabled: true + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + repository: jimmidyson/configmap-reload + tag: v0.5.0 + pullPolicy: IfNotPresent + + ## Additional configmap-reload container arguments + ## + extraArgs: {} + ## Additional configmap-reload volume directories + ## + extraVolumeDirs: [] + + + ## Additional configmap-reload mounts + ## + extraConfigmapMounts: [] + # - name: prometheus-alerts + # mountPath: /etc/alerts.d + # subPath: "" + # configMap: prometheus-alerts + # readOnly: true + + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + alertmanager: + ## If false, the configmap-reload container will not be deployed + ## + enabled: true + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + repository: jimmidyson/configmap-reload + tag: v0.5.0 + pullPolicy: IfNotPresent + + ## Additional configmap-reload container arguments + ## + extraArgs: {} + ## Additional configmap-reload volume directories + ## + extraVolumeDirs: [] + + + ## Additional configmap-reload mounts + ## + extraConfigmapMounts: [] + # - name: prometheus-alerts + # mountPath: /etc/alerts.d + # subPath: "" + # configMap: prometheus-alerts + # readOnly: true + + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + +kubeStateMetrics: + ## If false, kube-state-metrics sub-chart will not be installed + ## + enabled: true + +## kube-state-metrics sub-chart configurable values +## Please see https://github.com/kubernetes/kube-state-metrics/tree/master/charts/kube-state-metrics +## +# kube-state-metrics: + +nodeExporter: + ## If false, node-exporter will not be installed + ## + enabled: true + + ## If true, node-exporter pods share the host network namespace + ## + hostNetwork: true + + ## If true, node-exporter pods share the host PID namespace + ## + hostPID: true + + ## If true, node-exporter pods mounts host / at /host/root + ## + hostRootfs: true + + ## node-exporter container name + ## + name: node-exporter + + ## node-exporter container image + ## + image: + repository: quay.io/prometheus/node-exporter + tag: v1.1.2 + pullPolicy: IfNotPresent + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## node-exporter priorityClassName + ## + priorityClassName: "" + + ## Custom Update Strategy + ## + updateStrategy: + type: RollingUpdate + + ## Additional node-exporter container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## Additional node-exporter hostPath mounts + ## + extraHostPathMounts: [] + # - name: textfile-dir + # mountPath: /srv/txt_collector + # hostPath: /var/lib/node-exporter + # readOnly: true + # mountPropagation: HostToContainer + + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /prometheus + # configMap: certs-configmap + # readOnly: true + + ## Node tolerations for node-exporter scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for node-exporter pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to node-exporter pods + ## + podAnnotations: {} + + ## Labels to be added to node-exporter pods + ## + pod: + labels: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## node-exporter resource limits & requests + ## Ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 200m + # memory: 50Mi + # requests: + # cpu: 100m + # memory: 30Mi + + # Custom DNS configuration to be added to node-exporter pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to node-exporter pods + ## + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + + service: + annotations: + prometheus.io/scrape: "true" + labels: {} + + # Exposed as a headless service: + # https://kubernetes.io/docs/concepts/services-networking/service/#headless-services + clusterIP: None + + ## List of IP addresses at which the node-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + hostPort: 9100 + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9100 + type: ClusterIP + +server: + ## Prometheus server container name + ## + enabled: true + + ## Use a ClusterRole (and ClusterRoleBinding) + ## - If set to false - we define a RoleBinding in the defined namespaces ONLY + ## + ## NB: because we need a Role with nonResourceURL's ("/metrics") - you must get someone with Cluster-admin privileges to define this role for you, before running with this setting enabled. + ## This makes prometheus work - for users who do not have ClusterAdmin privs, but wants prometheus to operate on their own namespaces, instead of clusterwide. + ## + ## You MUST also set namespaces to the ones you have access to and want monitored by Prometheus. + ## + # useExistingClusterRoleName: nameofclusterrole + + ## namespaces to monitor (instead of monitoring all - clusterwide). Needed if you want to run without Cluster-admin privileges. + # namespaces: + # - yournamespace + + name: server + + # sidecarContainers - add more containers to prometheus server + # Key/Value where Key is the sidecar `- name: ` + # Example: + # sidecarContainers: + # webserver: + # image: nginx + sidecarContainers: {} + + ## Prometheus server container image + ## + image: + repository: quay.io/prometheus/prometheus + tag: v2.26.0 + pullPolicy: IfNotPresent + + ## prometheus server priorityClassName + ## + priorityClassName: "" + + ## EnableServiceLinks indicates whether information about services should be injected + ## into pod's environment variables, matching the syntax of Docker links. + ## WARNING: the field is unsupported and will be skipped in K8s prior to v1.13.0. + ## + enableServiceLinks: true + + ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug + ## so that the various internal URLs are still able to access as they are in the default case. + ## (Optional) + prefixURL: "" + + ## External URL which can access prometheus + ## Maybe same with Ingress host name + baseURL: "" + + ## Additional server container environment variables + ## + ## You specify this manually like you would a raw deployment manifest. + ## This means you can bind in environment variables from secrets. + ## + ## e.g. static environment variable: + ## - name: DEMO_GREETING + ## value: "Hello from the environment" + ## + ## e.g. secret environment variable: + ## - name: USERNAME + ## valueFrom: + ## secretKeyRef: + ## name: mysecret + ## key: username + env: [] + + extraFlags: + - web.enable-lifecycle + ## web.enable-admin-api flag controls access to the administrative HTTP API which includes functionality such as + ## deleting time series. This is disabled by default. + # - web.enable-admin-api + ## + ## storage.tsdb.no-lockfile flag controls BD locking + # - storage.tsdb.no-lockfile + ## + ## storage.tsdb.wal-compression flag enables compression of the write-ahead log (WAL) + # - storage.tsdb.wal-compression + + ## Path to a configuration file on prometheus server container FS + configPath: /etc/config/prometheus.yml + + ### The data directory used by prometheus to set --storage.tsdb.path + ### When empty server.persistentVolume.mountPath is used instead + storagePath: "" + + global: + ## How frequently to scrape targets by default + ## + scrape_interval: 1m + ## How long until a scrape request times out + ## + scrape_timeout: 10s + ## How frequently to evaluate rules + ## + evaluation_interval: 1m + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write + ## + remoteWrite: [] + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read + ## + remoteRead: [] + + ## Additional Prometheus server container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## Additional Prometheus server Volume mounts + ## + extraVolumeMounts: [] + + ## Additional Prometheus server Volumes + ## + extraVolumes: [] + + ## Additional Prometheus server hostPath mounts + ## + extraHostPathMounts: [] + # - name: certs-dir + # mountPath: /etc/kubernetes/certs + # subPath: "" + # hostPath: /etc/kubernetes/certs + # readOnly: true + + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /prometheus + # subPath: "" + # configMap: certs-configmap + # readOnly: true + + ## Additional Prometheus server Secret mounts + # Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: prom-secret-files + # readOnly: true + + ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.server.configMapOverrideName}} + ## Defining configMapOverrideName will cause templates/server-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configMapOverrideName: "" + + ingress: + ## If true, Prometheus server Ingress will be created + ## + enabled: false + + ## Prometheus server Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## Prometheus server Ingress additional labels + ## + extraLabels: {} + + ## Prometheus server Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - prometheus.domain.com + # - domain.com/prometheus + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## Prometheus server Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-server-tls + # hosts: + # - prometheus.domain.com + + ## Server Deployment Strategy type + # strategy: + # type: Recreate + + ## hostAliases allows adding entries to /etc/hosts inside the containers + hostAliases: [] + # - ip: "127.0.0.1" + # hostnames: + # - "example.com" + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for Prometheus server pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Pod affinity + ## + affinity: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + persistentVolume: + ## If true, Prometheus server will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## + enabled: true + + ## Prometheus server data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## Prometheus server data Persistent Volume annotations + ## + annotations: {} + + ## Prometheus server data Persistent Volume existing claim name + ## Requires server.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "monitoring-prometheus-server-data" + + ## Prometheus server data Persistent Volume mount root path + ## + mountPath: /data + + ## Prometheus server data Persistent Volume size + ## + size: 32Gi + + ## Prometheus server data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## Prometheus server data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of Prometheus server data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + emptyDir: + ## Prometheus server emptyDir volume size limit + ## + sizeLimit: "" + + ## Annotations to be added to Prometheus server pods + ## + podAnnotations: {} + # iam.amazonaws.com/role: prometheus + + ## Labels to be added to Prometheus server pods + ## + podLabels: {} + + ## Prometheus AlertManager configuration + ## + alertmanagers: [] + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) + ## + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + statefulSet: + ## If true, use a statefulset instead of a deployment for pod management. + ## This allows to scale replicas to more than 1 pod + ## + enabled: false + + annotations: {} + labels: {} + podManagementPolicy: OrderedReady + + ## Alertmanager headless service to use for the statefulset + ## + headless: + annotations: {} + labels: {} + servicePort: 80 + ## Enable gRPC port on service to allow auto discovery with thanos-querier + gRPC: + enabled: false + servicePort: 10901 + # nodePort: 10901 + + ## Prometheus server readiness and liveness probe initial delay and timeout + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + ## + readinessProbeInitialDelay: 30 + readinessProbePeriodSeconds: 5 + readinessProbeTimeout: 4 + readinessProbeFailureThreshold: 3 + readinessProbeSuccessThreshold: 1 + livenessProbeInitialDelay: 30 + livenessProbePeriodSeconds: 15 + livenessProbeTimeout: 10 + livenessProbeFailureThreshold: 3 + livenessProbeSuccessThreshold: 1 + + ## Prometheus server resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 500m + # memory: 512Mi + # requests: + # cpu: 500m + # memory: 512Mi + + # Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), + # because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + ## + hostNetwork: false + + # When hostNetwork is enabled, you probably want to set this to ClusterFirstWithHostNet + dnsPolicy: ClusterFirst + + ## Vertical Pod Autoscaler config + ## Ref: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler + verticalAutoscaler: + ## If true a VPA object will be created for the controller (either StatefulSet or Deployemnt, based on above configs) + enabled: false + # updateMode: "Auto" + # containerPolicies: + # - containerName: 'prometheus-server' + + # Custom DNS configuration to be added to prometheus server pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + ## Security context to be added to server pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + + service: + annotations: {} + labels: {} + clusterIP: "" + + ## List of IP addresses at which the Prometheus server service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + sessionAffinity: None + type: ClusterIP + + ## Enable gRPC port on service to allow auto discovery with thanos-querier + gRPC: + enabled: false + servicePort: 10901 + # nodePort: 10901 + + ## If using a statefulSet (statefulSet.enabled=true), configure the + ## service to connect to a specific replica to have a consistent view + ## of the data. + statefulsetReplica: + enabled: false + replica: 0 + + ## Prometheus server pod termination grace period + ## + terminationGracePeriodSeconds: 300 + + ## Prometheus data retention period (default if not specified is 15 days) + ## + retention: "15d" + +pushgateway: + ## If false, pushgateway will not be installed + ## + enabled: true + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## pushgateway container name + ## + name: pushgateway + + ## pushgateway container image + ## + image: + repository: prom/pushgateway + tag: v1.3.1 + pullPolicy: IfNotPresent + + ## pushgateway priorityClassName + ## + priorityClassName: "" + + ## Additional pushgateway container arguments + ## + ## for example: persistence.file: /data/pushgateway.data + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ingress: + ## If true, pushgateway Ingress will be created + ## + enabled: false + + ## pushgateway Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## pushgateway Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - pushgateway.domain.com + # - domain.com/pushgateway + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## pushgateway Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-alerts-tls + # hosts: + # - pushgateway.domain.com + + ## Node tolerations for pushgateway scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for pushgateway pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to pushgateway pods + ## + podAnnotations: {} + + ## Labels to be added to pushgateway pods + ## + podLabels: {} + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## pushgateway resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 10m + # memory: 32Mi + # requests: + # cpu: 10m + # memory: 32Mi + + # Custom DNS configuration to be added to push-gateway pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to push-gateway pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + + service: + annotations: + prometheus.io/probe: pushgateway + labels: {} + clusterIP: "" + + ## List of IP addresses at which the pushgateway service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9091 + type: ClusterIP + + ## pushgateway Deployment Strategy type + # strategy: + # type: Recreate + + persistentVolume: + ## If true, pushgateway will create/use a Persistent Volume Claim + ## + enabled: false + + ## pushgateway data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## pushgateway data Persistent Volume Claim annotations + ## + annotations: {} + + ## pushgateway data Persistent Volume existing claim name + ## Requires pushgateway.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## pushgateway data Persistent Volume mount root path + ## + mountPath: /data + + ## pushgateway data Persistent Volume size + ## + size: 2Gi + + ## pushgateway data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## pushgateway data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of pushgateway data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + +## alertmanager ConfigMap entries +## +alertmanagerFiles: + alertmanager.yml: + global: {} + # slack_api_url: '' + + receivers: + - name: default-receiver + # slack_configs: + # - channel: '@you' + # send_resolved: true + + route: + group_wait: 10s + group_interval: 5m + receiver: default-receiver + repeat_interval: 3h + +## Prometheus server ConfigMap entries +## +serverFiles: + + ## Alerts configuration + ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + alerting_rules.yml: {} + # groups: + # - name: Instances + # rules: + # - alert: InstanceDown + # expr: up == 0 + # for: 5m + # labels: + # severity: page + # annotations: + # description: '{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.' + # summary: 'Instance {{ $labels.instance }} down' + ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use alerting_rules.yml + alerts: {} + + ## Records configuration + ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/ + recording_rules.yml: {} + ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use recording_rules.yml + rules: {} + + prometheus.yml: + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + ## Below two files are DEPRECATED will be removed from this default values file + - /etc/config/rules + - /etc/config/alerts + + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + + # A scrape configuration for running Prometheus on a Kubernetes cluster. + # This uses separate scrape configs for cluster components (i.e. API server, node) + # and services to allow each to use different authentication configs. + # + # Kubernetes labels will be added as Prometheus labels on metrics via the + # `labelmap` relabeling action. + + # Scrape config for API servers. + # + # Kubernetes exposes API servers as endpoints to the default/kubernetes + # service so this uses `endpoints` role and uses relabelling to only keep + # the endpoints associated with the default/kubernetes service using the + # default named port `https`. This works for single API server deployments as + # well as HA API server deployments. + - job_name: 'kubernetes-apiservers' + + kubernetes_sd_configs: + - role: endpoints + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + # Keep only the default/kubernetes service endpoints for the https port. This + # will add targets for each API server which Kubernetes adds an endpoint to + # the default/kubernetes service. + relabel_configs: + - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: default;kubernetes;https + + - job_name: 'kubernetes-nodes' + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics + + + - job_name: 'kubernetes-nodes-cadvisor' + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + # This configuration will work only on kubelet 1.7.3+ + # As the scrape endpoints for cAdvisor have changed + # if you are using older version you need to change the replacement to + # replacement: /api/v1/nodes/$1:4194/proxy/metrics + # more info here https://github.com/coreos/prometheus-operator/issues/633 + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + + # Scrape config for service endpoints. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape`: Only scrape services that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + - job_name: 'kubernetes-service-endpoints' + + kubernetes_sd_configs: + - role: endpoints + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: kubernetes_node + + # Scrape config for slow service endpoints; same as above, but with a larger + # timeout and a larger interval + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape-slow`: Only scrape services that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + - job_name: 'kubernetes-service-endpoints-slow' + + scrape_interval: 5m + scrape_timeout: 30s + + kubernetes_sd_configs: + - role: endpoints + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: kubernetes_node + + - job_name: 'prometheus-pushgateway' + honor_labels: true + + kubernetes_sd_configs: + - role: service + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe] + action: keep + regex: pushgateway + + # Example scrape config for probing services via the Blackbox Exporter. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/probe`: Only probe services that have a value of `true` + - job_name: 'kubernetes-services' + + metrics_path: /probe + params: + module: [http_2xx] + + kubernetes_sd_configs: + - role: service + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe] + action: keep + regex: true + - source_labels: [__address__] + target_label: __param_target + - target_label: __address__ + replacement: blackbox + - source_labels: [__param_target] + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + target_label: kubernetes_name + + # Example scrape config for pods + # + # The relabeling allows the actual pod scrape endpoint to be configured via the + # following annotations: + # + # * `prometheus.io/scrape`: Only scrape pods that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. + - job_name: 'kubernetes-pods' + + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: kubernetes_pod_name + - source_labels: [__meta_kubernetes_pod_phase] + regex: Pending|Succeeded|Failed + action: drop + + # Example Scrape config for pods which should be scraped slower. An useful example + # would be stackriver-exporter which queries an API on every scrape of the pod + # + # The relabeling allows the actual pod scrape endpoint to be configured via the + # following annotations: + # + # * `prometheus.io/scrape-slow`: Only scrape pods that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. + - job_name: 'kubernetes-pods-slow' + + scrape_interval: 5m + scrape_timeout: 30s + + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: kubernetes_pod_name + - source_labels: [__meta_kubernetes_pod_phase] + regex: Pending|Succeeded|Failed + action: drop + +# adds additional scrape configs to prometheus.yml +# must be a string so you have to add a | after extraScrapeConfigs: +# example adds prometheus-blackbox-exporter scrape config +extraScrapeConfigs: + # - job_name: 'prometheus-blackbox-exporter' + # metrics_path: /probe + # params: + # module: [http_2xx] + # static_configs: + # - targets: + # - https://example.com + # relabel_configs: + # - source_labels: [__address__] + # target_label: __param_target + # - source_labels: [__param_target] + # target_label: instance + # - target_label: __address__ + # replacement: prometheus-blackbox-exporter:9115 + +# Adds option to add alert_relabel_configs to avoid duplicate alerts in alertmanager +# useful in H/A prometheus with different external labels but the same alerts +alertRelabelConfigs: + # alert_relabel_configs: + # - source_labels: [dc] + # regex: (.+)\d+ + # target_label: dc + +networkPolicy: + ## Enable creation of NetworkPolicy resources. + ## + enabled: false + +# Force namespace of namespaced resources +forceNamespace: null diff --git a/yaml/monitoring/prometheus-volumes.yaml b/yaml/monitoring/prometheus-volumes.yaml new file mode 100644 index 0000000..30c84e0 --- /dev/null +++ b/yaml/monitoring/prometheus-volumes.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: monitoring-prometheus-alertmanager-data + namespace: monitoring +spec: + accessModes: + - ReadWriteOnce + storageClassName: rados-block + resources: + requests: + storage: 2Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: monitoring-prometheus-server-data + namespace: monitoring +spec: + accessModes: + - ReadWriteOnce + storageClassName: rados-block + resources: + requests: + storage: 32Gi \ No newline at end of file diff --git a/yaml/monitoring/promtail-values.yaml b/yaml/monitoring/promtail-values.yaml new file mode 100644 index 0000000..1c5e36d --- /dev/null +++ b/yaml/monitoring/promtail-values.yaml @@ -0,0 +1,485 @@ +# -- Overrides the chart's name +nameOverride: null + +# -- Overrides the chart's computed fullname +fullnameOverride: null + +initContainer: + # -- Specifies whether the init container for setting inotify max user instances is to be enabled + enabled: false + image: + # -- The Docker registry for the init container + registry: docker.io + # -- Docker image repository for the init container + repository: busybox + # -- Docker tag for the init container + tag: 1.33 + # -- Docker image pull policy for the init container image + pullPolicy: IfNotPresent + # -- The inotify max user instances to configure + fsInotifyMaxUserInstances: 128 + +image: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: grafana/promtail + # -- Overrides the image tag whose default is the chart's appVersion + tag: null + # -- Docker image pull policy + pullPolicy: IfNotPresent + +# -- Image pull secrets for Docker images +imagePullSecrets: [] + +# -- Annotations for the SaemonSet +annotations: {} + +# -- The update strategy for the DaemonSet +updateStrategy: {} + +# -- Pod labels +podLabels: {} + +# -- Pod annotations +podAnnotations: {} +# prometheus.io/scrape: "true" +# prometheus.io/port: "http-metrics" + +# -- The name of the PriorityClass +priorityClassName: null + +# -- Liveness probe +livenessProbe: {} + +# -- Readiness probe +# @default -- See `values.yaml` +readinessProbe: + failureThreshold: 5 + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + +# -- Resource requests and limits +resources: {} +# limits: +# cpu: 200m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + +# -- The security context for pods +podSecurityContext: + runAsUser: 0 + runAsGroup: 0 + +# -- The security context for containers +containerSecurityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + +rbac: + # -- Specifies whether RBAC resources are to be created + create: true + # -- Specifies whether a PodSecurityPolicy is to be created + pspEnabled: false + +serviceAccount: + # -- Specifies whether a ServiceAccount should be created + create: true + # -- The name of the ServiceAccount to use. + # If not set and `create` is true, a name is generated using the fullname template + name: null + # -- Image pull secrets for the service account + imagePullSecrets: [] + # -- Annotations for the service account + annotations: {} + +# -- Node selector for pods +nodeSelector: {} + +# -- Affinity configuration for pods +affinity: {} + +# -- Tolerations for pods. By default, pods will be scheduled on master/control-plane nodes. +tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + +# -- Default volumes that are mounted into pods. In most cases, these should not be changed. +# Use `extraVolumes`/`extraVolumeMounts` for additional custom volumes. +# @default -- See `values.yaml` +defaultVolumes: + - name: containers + hostPath: + path: /var/lib/docker/containers + - name: pods + hostPath: + path: /var/log/pods + +# -- Default volume mounts. Corresponds to `volumes`. +# @default -- See `values.yaml` +defaultVolumeMounts: + - name: containers + mountPath: /var/lib/docker/containers + readOnly: true + - name: pods + mountPath: /var/log/pods + readOnly: true + +# Extra volumes to be added in addition to those specified under `defaultVolumes`. +extraVolumes: [] + +# Extra volume mounts together. Corresponds to `extraVolumes`. +extraVolumeMounts: [] + +# Extra args for the Promtail container. +extraArgs: [] +# -- Example: +# -- extraArgs: +# -- - -client.external-labels=hostname=$(HOSTNAME) + +# -- Extra environment variables +extraEnv: [] + +# -- Extra environment variables from secrets or configmaps +extraEnvFrom: [] + +# ServiceMonitor configuration +serviceMonitor: + # -- If enabled, ServiceMonitor resources for Prometheus Operator are created + enabled: false + # -- Alternative namespace for ServiceMonitor resources + namespace: null + # -- Namespace selector for ServiceMonitor resources + namespaceSelector: {} + # -- ServiceMonitor annotations + annotations: {} + # -- Additional ServiceMonitor labels + labels: {} + # -- ServiceMonitor scrape interval + interval: null + # -- ServiceMonitor scrape timeout in Go duration format (e.g. 15s) + scrapeTimeout: null + +# -- Configure additional ports and services. For each configured port, a corresponding service is created. +# See values.yaml for details +extraPorts: {} +# syslog: +# name: tcp-syslog +# containerPort: 1514 +# protocol: TCP +# service: +# type: ClusterIP +# clusterIP: null +# port: 1514 +# externalIPs: [] +# nodePort: null +# annotations: {} +# labels: {} +# loadBalancerIP: null +# loadBalancerSourceRanges: [] +# externalTrafficPolicy: null + +# -- PodSecurityPolicy configuration. +# @default -- See `values.yaml` +podSecurityPolicy: + privileged: true + allowPrivilegeEscalation: true + volumes: + - 'secret' + - 'hostPath' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + +# -- Section for crafting Promtails config file. The only directly relevant value is `config.file` +# which is a templated string that references the other values and snippets below this key. +# @default -- See `values.yaml` +config: + # -- The log level of the Promtail server + # Must be reference in `config.file` to configure `server.log_level` + # See default config in `values.yaml` + logLevel: info + # -- The port of the Promtail server + # Must be reference in `config.file` to configure `server.http_listen_port` + # See default config in `values.yaml` + serverPort: 3101 + # -- The Loki address to post logs to. + # Must be reference in `config.file` to configure `client.url`. + # See default config in `values.yaml` + #lokiAddress: http://loki:3100/loki/api/v1/push + lokiAddress: http://loki-v12:3100/loki/api/v1/push + # -- A section of reusable snippets that can be reference in `config.file`. + # Custom snippets may be added in order to reduce redundancy. + # This is especially helpful when multiple `kubernetes_sd_configs` are use which usually have large parts in common. + # @default -- See `values.yaml` + snippets: + pipelineStages: + - cri: {} + common: + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: node_name + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + replacement: $1 + separator: / + source_labels: + - namespace + - app + target_label: job + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: pod + - action: replace + source_labels: + - __meta_kubernetes_pod_container_name + target_label: container + - action: replace + replacement: /var/log/pods/*$1/*.log + separator: / + source_labels: + - __meta_kubernetes_pod_uid + - __meta_kubernetes_pod_container_name + target_label: __path__ + - action: replace + replacement: /var/log/pods/*$1/*.log + regex: true/(.*) + separator: / + source_labels: + - __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash + - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash + - __meta_kubernetes_pod_container_name + target_label: __path__ + + # If set to true, adds an additional label for the scrape job. + # This helps debug the Promtail config. + addScrapeJobLabel: false + + # -- You can put here any keys that will be directly added to the config file's 'client' block. + # @default -- empty + extraClientConfigs: "" + + # -- You can put here any additional scrape configs you want to add to the config file. + # @default -- empty + extraScrapeConfigs: "" + + scrapeConfigs: | + # See also https://github.com/grafana/loki/blob/master/production/ksonnet/promtail/scrape_config.libsonnet for reference + + # Pods with a label 'app.kubernetes.io/name' + - job_name: kubernetes-pods-app-kubernetes-io-name + pipeline_stages: + {{- toYaml .Values.config.snippets.pipelineStages | nindent 4 }} + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: replace + source_labels: + - __meta_kubernetes_pod_label_app_kubernetes_io_name + target_label: app + - action: drop + regex: '' + source_labels: + - app + - action: replace + source_labels: + - __meta_kubernetes_pod_label_app_kubernetes_io_component + target_label: component + {{- if .Values.config.snippets.addScrapeJobLabel }} + - action: replace + replacement: kubernetes-pods-app-kubernetes-io-name + target_label: scrape_job + {{- end }} + {{- toYaml .Values.config.snippets.common | nindent 4 }} + + # Pods with a label 'app' + - job_name: kubernetes-pods-app + pipeline_stages: + {{- toYaml .Values.config.snippets.pipelineStages | nindent 4 }} + kubernetes_sd_configs: + - role: pod + relabel_configs: + # Drop pods with label 'app.kubernetes.io/name'. They are already considered above + - action: drop + regex: .+ + source_labels: + - __meta_kubernetes_pod_label_app_kubernetes_io_name + - action: replace + source_labels: + - __meta_kubernetes_pod_label_app + target_label: app + - action: drop + regex: '' + source_labels: + - app + - action: replace + source_labels: + - __meta_kubernetes_pod_label_component + target_label: component + {{- if .Values.config.snippets.addScrapeJobLabel }} + - action: replace + replacement: kubernetes-pods-app + target_label: scrape_job + {{- end }} + {{- toYaml .Values.config.snippets.common | nindent 4 }} + + # Pods with direct controllers, such as StatefulSet + - job_name: kubernetes-pods-direct-controllers + pipeline_stages: + {{- toYaml .Values.config.snippets.pipelineStages | nindent 4 }} + kubernetes_sd_configs: + - role: pod + relabel_configs: + # Drop pods with label 'app.kubernetes.io/name' or 'app'. They are already considered above + - action: drop + regex: .+ + separator: '' + source_labels: + - __meta_kubernetes_pod_label_app_kubernetes_io_name + - __meta_kubernetes_pod_label_app + - action: drop + regex: '[0-9a-z-.]+-[0-9a-f]{8,10}' + source_labels: + - __meta_kubernetes_pod_controller_name + - action: replace + source_labels: + - __meta_kubernetes_pod_controller_name + target_label: app + {{- if .Values.config.snippets.addScrapeJobLabel }} + - action: replace + replacement: kubernetes-pods-direct-controllers + target_label: scrape_job + {{- end }} + {{- toYaml .Values.config.snippets.common | nindent 4 }} + + # Pods with indirect controllers, such as Deployment + - job_name: kubernetes-pods-indirect-controller + pipeline_stages: + {{- toYaml .Values.config.snippets.pipelineStages | nindent 4 }} + kubernetes_sd_configs: + - role: pod + relabel_configs: + # Drop pods with label 'app.kubernetes.io/name' or 'app'. They are already considered above + - action: drop + regex: .+ + separator: '' + source_labels: + - __meta_kubernetes_pod_label_app_kubernetes_io_name + - __meta_kubernetes_pod_label_app + - action: keep + regex: '[0-9a-z-.]+-[0-9a-f]{8,10}' + source_labels: + - __meta_kubernetes_pod_controller_name + - action: replace + regex: '([0-9a-z-.]+)-[0-9a-f]{8,10}' + source_labels: + - __meta_kubernetes_pod_controller_name + target_label: app + {{- if .Values.config.snippets.addScrapeJobLabel }} + - action: replace + replacement: kubernetes-pods-indirect-controller + target_label: scrape_job + {{- end }} + {{- toYaml .Values.config.snippets.common | nindent 4 }} + # All remaining pods not yet covered + - job_name: kubernetes-other + pipeline_stages: + {{- toYaml .Values.config.snippets.pipelineStages | nindent 4 }} + kubernetes_sd_configs: + - role: pod + relabel_configs: + # Drop what has already been covered + - action: drop + regex: .+ + separator: '' + source_labels: + - __meta_kubernetes_pod_label_app_kubernetes_io_name + - __meta_kubernetes_pod_label_app + - action: drop + regex: .+ + source_labels: + - __meta_kubernetes_pod_controller_name + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: app + - action: replace + source_labels: + - __meta_kubernetes_pod_label_component + target_label: component + {{- if .Values.config.snippets.addScrapeJobLabel }} + - action: replace + replacement: kubernetes-other + target_label: scrape_job + {{- end }} + {{- toYaml .Values.config.snippets.common | nindent 4 }} + + # -- Config file contents for Promtail. + # Must be configured as string. + # It is templated so it can be assembled from reusable snippets in order to avoid redundancy. + # @default -- See `values.yaml` + file: | + server: + log_level: {{ .Values.config.logLevel }} + http_listen_port: {{ .Values.config.serverPort }} + + client: + url: {{ tpl .Values.config.lokiAddress . }} + {{- tpl .Values.config.snippets.extraClientConfigs . | nindent 2 }} + + positions: + filename: /run/promtail/positions.yaml + + scrape_configs: + {{- tpl .Values.config.snippets.scrapeConfigs . | nindent 2 }} + {{- tpl .Values.config.snippets.extraScrapeConfigs . | nindent 2 }} + +networkPolicy: + # -- Specifies whether Network Policies should be created + enabled: false + metrics: + # -- Specifies the Pods which are allowed to access the metrics port. + # As this is cross-namespace communication, you also neeed the namespaceSelector. + podSelector: {} + # -- Specifies the namespaces which are allowed to access the metrics port + namespaceSelector: {} + # -- Specifies specific network CIDRs which are allowed to access the metrics port. + # In case you use namespaceSelector, you also have to specify your kubelet networks here. + # The metrics ports are also used for probes. + cidrs: [] + k8sApi: + # -- Specify the k8s API endpoint port + port: 8443 + # -- Specifies specific network CIDRs you want to limit access to + cidrs: [] diff --git a/yaml/monitoring/zabbix-agent-daemonset.yaml b/yaml/monitoring/zabbix-agent-daemonset.yaml new file mode 100644 index 0000000..a832f1a --- /dev/null +++ b/yaml/monitoring/zabbix-agent-daemonset.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: zabbix-agent + namespace: monitoring +spec: + selector: + matchLabels: + app: zabbix-agent + template: + metadata: + labels: + app: zabbix-agent + spec: + hostNetwork: true + hostPID: true + hostIPC: false + containers: + - name: zabbix-agent + image: zabbix/zabbix-agent:alpine-5.0-latest + imagePullPolicy: Always + ports: + - containerPort: 10050 + name: zabbix-agent + env: + - name: ZBX_SERVER_HOST + value: k8x_zabbix_server + - name: ZBX_STARTAGENTS + value: "1" + - name: ZBX_TIMEOUT + value: "10" + - name: ZBX_TLSCONNECT + value: "psk" + - name: ZBX_TLSACCEPT + value: "psk" + - name: ZBX_TLSPSKIDENTITY + valueFrom: + secretKeyRef: + name: zabbix-psk-id-secret + key: zabbix_psk_id + - name: ZBX_TLSPSKFILE + value: "zabbix_agentd.psk" + - name: ZBX_ACTIVE_ALLOW + value: "false" + securityContext: + privileged: true + resources: + requests: + cpu: 0.15 + volumeMounts: + - name: zabbix-psk-config + mountPath: "/var/lib/zabbix/enc" + readOnly: true + volumes: + - name: zabbix-psk-config + secret: + secretName: zabbix-psk-secret diff --git a/yaml/registry/registry-cert.yaml b/yaml/registry/registry-cert.yaml new file mode 100644 index 0000000..0175434 --- /dev/null +++ b/yaml/registry/registry-cert.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: registry-cert + namespace: registry +spec: + secretName: registry-tls + issuerRef: + name: letsencrypt-production-dns + kind: ClusterIssuer + commonName: '${REGISTRY_URL}' + dnsNames: + - '${REGISTRY_URL}' + privateKey: + algorithm: ECDSA \ No newline at end of file diff --git a/yaml/registry/registry-ingress-secure.yaml b/yaml/registry/registry-ingress-secure.yaml new file mode 100644 index 0000000..92ca09e --- /dev/null +++ b/yaml/registry/registry-ingress-secure.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: registry-ingress + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/proxy-body-size: "2048m" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" + nginx.ingress.kubernetes.io/proxy-next-upstream-timeout: "600" + nginx.ingress.kubernetes.io/proxy-next-upstream-tries: "10" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-request-buffering: "off" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" +spec: + rules: + - host: ${REGISTRY_URL} + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: registry + port: + number: 5000 + tls: + - secretName: registry-tls + hosts: + - ${REGISTRY_URL} \ No newline at end of file diff --git a/yaml/registry/registry-ingress.yaml b/yaml/registry/registry-ingress.yaml new file mode 100644 index 0000000..4fc3334 --- /dev/null +++ b/yaml/registry/registry-ingress.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: registry-ingress + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/proxy-body-size: "2048m" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "600" + nginx.ingress.kubernetes.io/proxy-next-upstream-timeout: "600" + nginx.ingress.kubernetes.io/proxy-next-upstream-tries: "10" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-request-buffering: "off" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" +spec: + rules: + - host: ${REGISTRY_URL} + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: registry + port: + number: 5000 \ No newline at end of file diff --git a/yaml/registry/registry-volumes-nfs.yaml b/yaml/registry/registry-volumes-nfs.yaml new file mode 100644 index 0000000..c291227 --- /dev/null +++ b/yaml/registry/registry-volumes-nfs.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: registry-data + namespace: registry +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 420Gi + volumeName: "registry-data" +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: registry-data +spec: + capacity: + storage: 420Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + nfs: + path: "/srv/registry/data" + server: 10.15.8.10 + readOnly: false \ No newline at end of file diff --git a/yaml/registry/registry-volumes.yaml b/yaml/registry/registry-volumes.yaml new file mode 100644 index 0000000..2583f89 --- /dev/null +++ b/yaml/registry/registry-volumes.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: registry-data + namespace: registry +spec: + accessModes: + - ReadWriteOnce + storageClassName: rados-block + resources: + requests: + storage: 128Gi \ No newline at end of file diff --git a/yaml/registry/registry.yaml b/yaml/registry/registry.yaml new file mode 100644 index 0000000..ff8c6d1 --- /dev/null +++ b/yaml/registry/registry.yaml @@ -0,0 +1,93 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: registry-config +data: + registry-config.yml: | + version: 0.1 + log: + fileds: + service: registry + storage: + cache: + blobdescriptor: inmemory + filesystem: + rootdirectory: /var/lib/registry + http: + addr: :5000 + headers: + X-Content-Type-Options: [nosniff] + auth: + htpasswd: + realm: basic-realm + path: /auth/htpasswd + health: + storagedriver: + enabled: true + interval: 10s + threshold: 3 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: registry + labels: + app: registry +spec: + replicas: 1 + selector: + matchLabels: + app: registry + strategy: + type: Recreate + template: + metadata: + labels: + app: registry + spec: + containers: + - name: registry + image: "registry:latest" + imagePullPolicy: IfNotPresent + securityContext: + privileged: false + ports: + - name: http + containerPort: 5000 + protocol: TCP + volumeMounts: + - name: registry-data + mountPath: "/var/lib/registry" + - name: registry-config + mountPath: "/etc/docker/registry" + readOnly: true + - name: registry-htpasswd + mountPath: "/auth" + readOnly: true + volumes: + - name: registry-data + persistentVolumeClaim: + claimName: registry-data + - name: registry-config + configMap: + name: registry-config + items: + - key: registry-config.yml + path: config.yml + - name: registry-htpasswd + secret: + secretName: registry-sec + items: + - key: HTPASSWD + path: htpasswd +--- +apiVersion: v1 +kind: Service +metadata: + name: registry +spec: + ports: + - port: 5000 + selector: + app: registry \ No newline at end of file diff --git a/yaml/system/namespace-resource-limits.yaml b/yaml/system/namespace-resource-limits.yaml new file mode 100644 index 0000000..4327621 --- /dev/null +++ b/yaml/system/namespace-resource-limits.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: LimitRange +metadata: + name: default-resource-limits +spec: + limits: + - default: + memory: 4096Mi + defaultRequest: + cpu: 10m + memory: 128Mi + type: Container diff --git a/yaml/system/namespace-wild-cert.yaml b/yaml/system/namespace-wild-cert.yaml new file mode 100644 index 0000000..3bef06c --- /dev/null +++ b/yaml/system/namespace-wild-cert.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-${nspace}-cert + namespace: ${nspace} +spec: + secretName: wildcard-${nspace}-tls + issuerRef: + name: letsencrypt-production-dns + kind: ClusterIssuer + commonName: '*.${nspace}.${CLUSTER_DOMAIN}' + dnsNames: + - '${nspace}.${CLUSTER_DOMAIN}' + - '*.${nspace}.${CLUSTER_DOMAIN}' + privateKey: + algorithm: ECDSA \ No newline at end of file diff --git a/yaml/system/namespace.yaml b/yaml/system/namespace.yaml new file mode 100644 index 0000000..1b85fb8 --- /dev/null +++ b/yaml/system/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ${nspace} diff --git a/yaml/system/sa-rbac-backup-agent.yaml b/yaml/system/sa-rbac-backup-agent.yaml new file mode 100644 index 0000000..8a6c4c1 --- /dev/null +++ b/yaml/system/sa-rbac-backup-agent.yaml @@ -0,0 +1,33 @@ +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: backup-agent-role + namespace: ${nspace} +rules: +- apiGroups: [""] + resources: + - pods + - pods/log + verbs: + - get + - list +- apiGroups: [""] + resources: + - pods/exec + verbs: + - create +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: backup-agent-rolebinding + namespace: ${nspace} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: backup-agent-role +subjects: +- kind: ServiceAccount + name: backup-agent-sa + namespace: ${nspace} \ No newline at end of file diff --git a/yaml/system/sa-rbac.yaml b/yaml/system/sa-rbac.yaml new file mode 100644 index 0000000..7a5a0eb --- /dev/null +++ b/yaml/system/sa-rbac.yaml @@ -0,0 +1,110 @@ +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: admin-role + namespace: ${nspace} +rules: + - apiGroups: [ "", "extensions", "apps", "batch", "autoscaling" ] + resources: + - pods + - pods/log + - pods/exec + - pods/portforward + - daemonsets + - deployments + - services + - replicasets + - replicationcontrollers + - statefulsets + - horizontalpodautoscalers + - jobs + - cronjobs + - events + - ingresses + - persistentvolumeclaims + - certificates + - configmaps + - secrets + - logs + verbs: + - get + - list + - watch + - create + - update + - delete + - patch + - apiGroups: [ "certmanager.k8s.io" ] + resources: + - issuers + verbs: + - get + - list + - watch + - apiGroups: [ "certmanager.k8s.io" ] + resources: + - certificates + verbs: + - get + - list + - watch + - create + - update + - delete + - patch + - apiGroups: [ "networking.k8s.io" ] + resources: + - ingresses + verbs: + - get + - list + - watch + - create + - update + - delete + - patch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: admin-rolebinding + namespace: ${nspace} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: admin-role +subjects: +- kind: ServiceAccount + name: admin-sa + namespace: ${nspace} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: admin-${nspace}-clusterrole +rules: +- apiGroups: [ "" ] + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - create + - update + - delete + - patch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: admin-${nspace}-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin-${nspace}-clusterrole +subjects: +- kind: ServiceAccount + name: admin-sa + namespace: ${nspace} \ No newline at end of file