Challenge v1 — acme.cert-manager.io

apiVersion string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

kind string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

metadata object required

spec object required

authorizationURL string required

The URL to the ACME Authorization resource that this challenge is a part of.

dnsName string required

dnsName is the identifier that this challenge is for, e.g., example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`.

issuerRef object required

References a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed.

group string

Group of the issuer being referred to. Defaults to 'cert-manager.io'.

kind string

Kind of the issuer being referred to. Defaults to 'Issuer'.

name string required

Name of the issuer being referred to.

key string required

The ACME challenge key for this challenge For HTTP01 challenges, this is the value that must be responded with to complete the HTTP01 challenge in the format: `<private key JWK thumbprint>.<key from acme server for challenge>`. For DNS01 challenges, this is the base64 encoded SHA256 sum of the `<private key JWK thumbprint>.<key from acme server for challenge>` text that must be set as the TXT record content.

solver object required

Contains the domain solving configuration that should be used to solve this challenge resource.

dns01 object

Configures cert-manager to attempt to complete authorizations by performing the DNS01 challenge flow.

acmeDNS object

Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to manage DNS01 challenge records.

accountSecretRef object required

A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.

key string

The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.

name string required

Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

host string required

akamai object

Use the Akamai DNS zone management API to manage DNS01 challenge records.

accessTokenSecretRef object required

A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.

key string

The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.

name string required

Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

clientSecretSecretRef object required

A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.

key string

The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.

name string required

Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

clientTokenSecretRef object required

A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.

key string

The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.

name string required

Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

serviceConsumerDomain string required

azureDNS object

Use the Microsoft Azure DNS API to manage DNS01 challenge records.

clientID string

Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.

clientSecretSecretRef object

Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.

key string

The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.

name string required

Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

environment string

name of the Azure environment (default AzurePublicCloud)

enum: AzurePublicCloud, AzureChinaCloud, AzureGermanCloud, AzureUSGovernmentCloud

hostedZoneName string

name of the DNS zone that should be used

managedIdentity object

Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.

clientID string

client ID of the managed identity, cannot be used at the same time as resourceID

resourceID string

resource ID of the managed identity, cannot be used at the same time as clientID Cannot be used for Azure Managed Service Identity

tenantID string

tenant ID of the managed identity, cannot be used at the same time as resourceID

resourceGroupName string required

resource group the DNS zone is located in

subscriptionID string required

ID of the Azure subscription

tenantID string

Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.

zoneType string

ZoneType determines which type of Azure DNS zone to use. Valid values are: - AzurePublicZone (default): Use a public Azure DNS zone. - AzurePrivateZone: Use an Azure Private DNS zone. If not specified, AzurePublicZone is used. Support for Azure Private DNS zones is currently experimental and may change in future releases.

enum: AzurePublicZone, AzurePrivateZone

cloudDNS object

Use the Google Cloud DNS API to manage DNS01 challenge records.

hostedZoneName string

HostedZoneName is an optional field that tells cert-manager in which Cloud DNS zone the challenge record has to be created. If left empty cert-manager will automatically choose a zone.

project string required

serviceAccountSecretRef object

A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.

key string

The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.

name string required

Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

cloudflare object

Use the Cloudflare API to manage DNS01 challenge records.

apiKeySecretRef object

API key to use to authenticate with Cloudflare. Note: using an API token to authenticate is now the recommended method as it allows greater control of permissions.

key string

The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.

name string required

Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

apiTokenSecretRef object

API token used to authenticate with Cloudflare.

key string

The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.

name string required

Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

email string

Email of the account, only required when using API key based authentication.

cnameStrategy string

CNAMEStrategy configures how the DNS01 provider should handle CNAME records when found in DNS zones.

enum: None, Follow

digitalocean object

Use the DigitalOcean DNS API to manage DNS01 challenge records.

tokenSecretRef object required

A reference to a specific 'key' within a Secret resource. In some instances, `key` is a required field.

key string

The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.

name string required

Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

rfc2136 object

Use RFC2136 ("Dynamic Updates in the Domain Name System") (https://datatracker.ietf.org/doc/rfc2136/) to manage DNS01 challenge records.

nameserver string required

The IP address or hostname of an authoritative DNS server supporting RFC2136 in the form host:port. If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]); port is optional. This field is required.

protocol string

Protocol to use for dynamic DNS update queries. Valid values are (case-sensitive) ``TCP`` and ``UDP``; ``UDP`` (default).

enum: TCP, UDP

tsigAlgorithm string

The TSIG Algorithm configured in the DNS supporting RFC2136. Used only when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. Supported values are (case-insensitive): ``HMACMD5`` (default), ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``.

tsigKeyName string

The TSIG Key name configured in the DNS. If ``tsigSecretSecretRef`` is defined, this field is required.

tsigSecretSecretRef object

The name of the secret containing the TSIG value. If ``tsigKeyName`` is defined, this field is required.

key string

The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.

name string required

Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

route53 object

Use the AWS Route53 API to manage DNS01 challenge records.

accessKeyID string

The AccessKeyID is used for authentication. Cannot be set when SecretAccessKeyID is set. If neither the Access Key nor Key ID are set, we fall back to using env vars, shared credentials file, or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials

accessKeyIDSecretRef object

The SecretAccessKey is used for authentication. If set, pull the AWS access key ID from a key within a Kubernetes Secret. Cannot be set when AccessKeyID is set. If neither the Access Key nor Key ID are set, we fall back to using env vars, shared credentials file, or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials

key string

The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.

name string required

Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

auth object

Auth configures how cert-manager authenticates.

kubernetes object required

Kubernetes authenticates with Route53 using AssumeRoleWithWebIdentity by passing a bound ServiceAccount token.

serviceAccountRef object required

A reference to a service account that will be used to request a bound token (also known as "projected token"). To use this field, you must configure an RBAC rule to let cert-manager request a token.

audiences []string

TokenAudiences is an optional list of audiences to include in the token passed to AWS. The default token consisting of the issuer's namespace and name is always included. If unset the audience defaults to `sts.amazonaws.com`.

name string required

Name of the ServiceAccount used to request a token.

hostedZoneID string

If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.

region string

Override the AWS region. Route53 is a global service and does not have regional endpoints but the region specified here (or via environment variables) is used as a hint to help compute the correct AWS credential scope and partition when it connects to Route53. See: - [Amazon Route 53 endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) - [Global services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) If you omit this region field, cert-manager will use the region from AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set in the cert-manager controller Pod. The `region` field is not needed if you use [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: [Amazon EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). In this case this `region` field value is ignored. The `region` field is not needed if you use [EKS Pod Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: [Amazon EKS Pod Identity Agent](https://github.com/aws/eks-pod-identity-agent), In this case this `region` field value is ignored.

role string

Role is a Role ARN which the Route53 provider will assume using either the explicit credentials AccessKeyID/SecretAccessKey or the inferred credentials from environment variables, shared credentials file or AWS Instance metadata

secretAccessKeySecretRef object

The SecretAccessKey is used for authentication. If neither the Access Key nor Key ID are set, we fall back to using env vars, shared credentials file, or AWS Instance metadata, see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials

key string

The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.

name string required

Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

webhook object

Configure an external webhook based DNS01 challenge solver to manage DNS01 challenge records.

config object

Additional configuration that should be passed to the webhook apiserver when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. If secret values are needed (e.g., credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation.

groupName string required

The API group name that should be used when POSTing ChallengePayload resources to the webhook apiserver. This should be the same as the GroupName specified in the webhook provider implementation.

solverName string required

The name of the solver to use, as defined in the webhook provider implementation. This will typically be the name of the provider, e.g., 'cloudflare'.

http01 object

Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names (e.g., `*.example.com`) using the HTTP01 challenge mechanism.

gatewayHTTPRoute object

The Gateway API is a sig-network community API that models service networking in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway solver will create HTTPRoutes with the specified labels in the same namespace as the challenge. This solver is experimental, and fields / behaviour may change in the future.

labels object

Custom labels that will be applied to HTTPRoutes created by cert-manager while solving HTTP-01 challenges.

parentRefs []object

When solving an HTTP-01 challenge, cert-manager creates an HTTPRoute. cert-manager needs to know which parentRefs should be used when creating the HTTPRoute. Usually, the parentRef references a Gateway. See: https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways

group string

Group is the group of the referent. When unspecified, "gateway.networking.k8s.io" is inferred. To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). Support: Core

pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

maxLength: 253

kind string

Kind is kind of the referent. There are two kinds of parent resources with "Core" support: * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) Support for other resources is Implementation-Specific.

pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$

minLength: 1

maxLength: 63

name string required

Name is the name of the referent. Support: Core

minLength: 1

maxLength: 253

namespace string

Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. <gateway:experimental:description> ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. </gateway:experimental:description> Support: Core

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$

minLength: 1

maxLength: 63

port integer

Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. <gateway:experimental:description> When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. </gateway:experimental:description> Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. Support: Extended

format: int32

minimum: 1

maximum: 65535

sectionName string

SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. Support: Core

pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

minLength: 1

maxLength: 253

podTemplate object

Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.

metadata object

ObjectMeta overrides for the pod used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.

annotations object

Annotations that should be added to the created ACME HTTP01 solver pods.

labels object

Labels that should be added to the created ACME HTTP01 solver pods.

spec object

PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.

affinity object

If specified, the pod's scheduling constraints

nodeAffinity object

Describes node affinity scheduling rules for the pod.

preferredDuringSchedulingIgnoredDuringExecution []object

The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.

preference object required

A node selector term, associated with the corresponding weight.

matchExpressions []object

A list of node selector requirements by node's labels.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.

matchFields []object

A list of node selector requirements by node's fields.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

weight integer required

Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.

format: int32

requiredDuringSchedulingIgnoredDuringExecution object

nodeSelectorTerms []object required

Required. A list of node selector terms. The terms are ORed.

matchExpressions []object

A list of node selector requirements by node's labels.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

matchFields []object

A list of node selector requirements by node's fields.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

podAffinity object

Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).

preferredDuringSchedulingIgnoredDuringExecution []object

The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.

podAffinityTerm object required

Required. A pod affinity term, associated with the corresponding weight.

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

matchLabels object

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

matchLabelKeys []string

MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set.

mismatchLabelKeys []string

MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.

namespaceSelector object

A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".

topologyKey string required

This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

weight integer required

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

format: int32

requiredDuringSchedulingIgnoredDuringExecution []object

If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

podAntiAffinity object

Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).

preferredDuringSchedulingIgnoredDuringExecution []object

The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and subtracting "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.

podAffinityTerm object required

Required. A pod affinity term, associated with the corresponding weight.

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

weight integer required

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

format: int32

requiredDuringSchedulingIgnoredDuringExecution []object

If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

imagePullSecrets []object

If specified, the pod's imagePullSecrets

name string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

nodeSelector object

NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/

priorityClassName string

If specified, the pod's priorityClassName.

resources object

If specified, the pod's resource requirements. These values override the global resource configuration flags. Note that when only specifying resource limits, ensure they are greater than or equal to the corresponding global resource requests configured via controller flags (--acme-http01-solver-resource-request-cpu, --acme-http01-solver-resource-request-memory). Kubernetes will reject pod creation if limits are lower than requests, causing challenge failures.

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to the global values configured via controller flags. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

securityContext object

If specified, the pod's security context

fsGroup integer

A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.

format: int64

fsGroupChangePolicy string

fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. Note that this field cannot be set when spec.os.name is windows.

runAsGroup integer

The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.

format: int64

runAsNonRoot boolean

Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.

runAsUser integer

The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.

format: int64

seLinuxOptions object

The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.

level string

Level is SELinux level label that applies to the container.

role string

Role is a SELinux role label that applies to the container.

type string

Type is a SELinux type label that applies to the container.

user string

User is a SELinux user label that applies to the container.

seccompProfile object

The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.

localhostProfile string

localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must be set if type is "Localhost". Must NOT be set for any other type.

type string required

type indicates which kind of seccomp profile will be applied. Valid options are: Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.

supplementalGroups []integer

A list of groups applied to the first process run in each container, in addition to the container's primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.

sysctls []object

Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.

name string required

Name of a property to set

value string required

Value of a property to set

serviceAccountName string

If specified, the pod's service account

tolerations []object

If specified, the pod's tolerations.

effect string

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

key string

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

operator string

Operator represents a key's relationship to the value. Valid operators are Exists, Equal, Lt, and Gt. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. Lt and Gt perform numeric comparisons (requires feature gate TaintTolerationComparisonOperators).

tolerationSeconds integer

TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

format: int64

value string

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

serviceType string

Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.

ingress object

The ingress based HTTP01 challenge solver will solve challenges by creating or modifying Ingress resources in order to route requests for '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods that are provisioned by cert-manager for each Challenge to be completed.

class string

This field configures the annotation `kubernetes.io/ingress.class` when creating Ingress resources to solve ACME challenges that use this challenge solver. Only one of `class`, `name` or `ingressClassName` may be specified.

ingressClassName string

This field configures the field `ingressClassName` on the created Ingress resources used to solve ACME challenges that use this challenge solver. This is the recommended way of configuring the ingress class. Only one of `class`, `name` or `ingressClassName` may be specified.

ingressTemplate object

Optional ingress template used to configure the ACME challenge solver ingress used for HTTP01 challenges.

metadata object

ObjectMeta overrides for the ingress used to solve HTTP01 challenges. Only the 'labels' and 'annotations' fields may be set. If labels or annotations overlap with in-built values, the values here will override the in-built values.

annotations object

Annotations that should be added to the created ACME HTTP01 solver ingress.

labels object

Labels that should be added to the created ACME HTTP01 solver ingress.

name string

The name of the ingress resource that should have ACME challenge solving routes inserted into it in order to solve HTTP01 challenges. This is typically used in conjunction with ingress controllers like ingress-gce, which maintains a 1:1 mapping between external IPs and ingress resources. Only one of `class`, `name` or `ingressClassName` may be specified.

podTemplate object

Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.

metadata object

annotations object

Annotations that should be added to the created ACME HTTP01 solver pods.

labels object

Labels that should be added to the created ACME HTTP01 solver pods.

spec object

PodSpec defines overrides for the HTTP01 challenge solver pod. Check ACMEChallengeSolverHTTP01IngressPodSpec to find out currently supported fields. All other fields will be ignored.

affinity object

If specified, the pod's scheduling constraints

nodeAffinity object

Describes node affinity scheduling rules for the pod.

preferredDuringSchedulingIgnoredDuringExecution []object

preference object required

A node selector term, associated with the corresponding weight.

matchExpressions []object

A list of node selector requirements by node's labels.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

matchFields []object

A list of node selector requirements by node's fields.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

weight integer required

Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.

format: int32

requiredDuringSchedulingIgnoredDuringExecution object

nodeSelectorTerms []object required

Required. A list of node selector terms. The terms are ORed.

matchExpressions []object

A list of node selector requirements by node's labels.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

matchFields []object

A list of node selector requirements by node's fields.

key string required

The label key that the selector applies to.

operator string required

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

values []string

podAffinity object

Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).

preferredDuringSchedulingIgnoredDuringExecution []object

The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.

podAffinityTerm object required

Required. A pod affinity term, associated with the corresponding weight.

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

weight integer required

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

format: int32

requiredDuringSchedulingIgnoredDuringExecution []object

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

podAntiAffinity object

Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).

preferredDuringSchedulingIgnoredDuringExecution []object

podAffinityTerm object required

Required. A pod affinity term, associated with the corresponding weight.

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

weight integer required

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

format: int32

requiredDuringSchedulingIgnoredDuringExecution []object

labelSelector object

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

matchLabelKeys []string

mismatchLabelKeys []string

namespaceSelector object

matchExpressions []object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

key string required

key is the label key that the selector applies to.

operator string required

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values []string

matchLabels object

namespaces []string

topologyKey string required

imagePullSecrets []object

If specified, the pod's imagePullSecrets

name string

nodeSelector object

priorityClassName string

If specified, the pod's priorityClassName.

resources object

limits object

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

requests object

securityContext object

If specified, the pod's security context

fsGroup integer

format: int64

fsGroupChangePolicy string

runAsGroup integer

format: int64

runAsNonRoot boolean

runAsUser integer

format: int64

seLinuxOptions object

level string

Level is SELinux level label that applies to the container.

role string

Role is a SELinux role label that applies to the container.

type string

Type is a SELinux type label that applies to the container.

user string

User is a SELinux user label that applies to the container.

seccompProfile object

The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.

localhostProfile string

type string required

supplementalGroups []integer

sysctls []object

name string required

Name of a property to set

value string required

Value of a property to set

serviceAccountName string

If specified, the pod's service account

tolerations []object

If specified, the pod's tolerations.

effect string

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

key string

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

operator string

tolerationSeconds integer

format: int64

value string

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

serviceType string

Optional service type for Kubernetes solver service. Supported values are NodePort or ClusterIP. If unset, defaults to NodePort.

selector object

Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. If not specified, the solver will be treated as the 'default' solver with the lowest priority, i.e. if any other solver has a more specific match, it will be used instead.

dnsNames []string

List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.

dnsZones []string

List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected.

matchLabels object

A label selector that is used to refine the set of certificate's that this challenge solver will apply to.

token string required

The ACME challenge token for this challenge. This is the raw value returned from the ACME server.

type string required

The type of ACME challenge this resource represents. One of "HTTP-01" or "DNS-01".

enum: HTTP-01, DNS-01

url string required

The URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge.

wildcard boolean

wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com'.

status object

presented boolean

presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured).

processing boolean

Used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action.

reason string

Contains human readable information on why the Challenge is in the current state.

state string

Contains the current 'state' of the challenge. If not set, the state of the challenge is unknown.

enum: valid, ready, pending, processing, invalid, expired, errored