apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null labels: controller-tools.k8s.io: "1.0" name: certificates.certmanager.k8s.io spec: additionalPrinterColumns: - JSONPath: .status.conditions[?(@.type=="Ready")].status name: Ready type: string - JSONPath: .spec.secretName name: Secret type: string - JSONPath: .spec.issuerRef.name name: Issuer priority: 1 type: string - JSONPath: .status.conditions[?(@.type=="Ready")].message name: Status priority: 1 type: string - JSONPath: .metadata.creationTimestamp description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. name: Age type: date group: certmanager.k8s.io names: kind: Certificate plural: certificates shortNames: - cert - certs scope: Namespaced validation: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: acme: description: ACME contains configuration specific to ACME Certificates. Notably, this contains details on how the domain names listed on this Certificate resource should be 'solved', i.e. mapping HTTP01 and DNS01 providers to DNS names. properties: config: items: properties: domains: description: Domains is the list of domains that this SolverConfig applies to. items: type: string type: array required: - domains type: object type: array required: - config type: object commonName: description: CommonName is a common name to be used on the Certificate. If no CommonName is given, then the first entry in DNSNames is used as the CommonName. The CommonName should have a length of 64 characters or fewer to avoid generating invalid CSRs; in order to have longer domain names, set the CommonName (or first DNSNames entry) to have 64 characters or fewer, and then add the longer domain name to DNSNames. type: string dnsNames: description: DNSNames is a list of subject alt names to be used on the Certificate. If no CommonName is given, then the first entry in DNSNames is used as the CommonName and must have a length of 64 characters or fewer. items: type: string type: array duration: description: Certificate default Duration type: string ipAddresses: description: IPAddresses is a list of IP addresses to be used on the Certificate items: type: string type: array isCA: description: IsCA will mark this Certificate as valid for signing. This implies that the 'signing' usage is set type: boolean issuerRef: description: IssuerRef is a reference to the issuer for this certificate. If the 'kind' field is not set, or set to 'Issuer', an Issuer resource with the given name in the same namespace as the Certificate will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer with the provided name will be used. The 'name' field in this stanza is required at all times. properties: group: type: string kind: type: string name: type: string required: - name type: object keyAlgorithm: description: KeyAlgorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is not provided, key size of 256 will be used for "ecdsa" key algorithm and key size of 2048 will be used for "rsa" key algorithm. enum: - rsa - ecdsa type: string keyEncoding: description: KeyEncoding is the private key cryptography standards (PKCS) for this certificate's private key to be encoded in. If provided, allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, respectively. If KeyEncoding is not specified, then PKCS#1 will be used by default. type: string keySize: description: KeySize is the key bit size of the corresponding private key for this certificate. If provided, value must be between 2048 and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", and value must be one of (256, 384, 521) when KeyAlgorithm is set to "ecdsa". format: int64 type: integer organization: description: Organization is the organization to be used on the Certificate items: type: string type: array renewBefore: description: Certificate renew before expiration duration type: string secretName: description: SecretName is the name of the secret resource to store this secret in type: string required: - secretName - issuerRef type: object status: properties: conditions: items: properties: lastTransitionTime: description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. format: date-time type: string message: description: Message is a human readable description of the details of the last transition, complementing reason. type: string reason: description: Reason is a brief machine readable explanation for the condition's last transition. type: string status: description: Status of the condition, one of ('True', 'False', 'Unknown'). enum: - "True" - "False" - Unknown type: string type: description: Type of the condition, currently ('Ready'). type: string required: - type - status type: object type: array lastFailureTime: format: date-time type: string notAfter: description: The expiration time of the certificate stored in the secret named by this resource in spec.secretName. format: date-time type: string type: object version: v1alpha1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null labels: controller-tools.k8s.io: "1.0" name: certificaterequests.certmanager.k8s.io spec: additionalPrinterColumns: - JSONPath: .status.conditions[?(@.type=="Ready")].status name: Ready type: string - JSONPath: .spec.issuerRef.name name: Issuer priority: 1 type: string - JSONPath: .status.conditions[?(@.type=="Ready")].message name: Status priority: 1 type: string - JSONPath: .metadata.creationTimestamp description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. name: Age type: date group: certmanager.k8s.io names: kind: CertificateRequest plural: certificaterequests shortNames: - cr - crs scope: Namespaced validation: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: csr: description: Byte slice containing the PEM encoded CertificateSigningRequest format: byte type: string duration: description: Requested certificate default Duration type: string isCA: description: IsCA will mark the resulting certificate as valid for signing. This implies that the 'signing' usage is set type: boolean issuerRef: description: IssuerRef is a reference to the issuer for this CertificateRequest. If the 'kind' field is not set, or set to 'Issuer', an Issuer resource with the given name in the same namespace as the CertificateRequest will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer with the provided name will be used. The 'name' field in this stanza is required at all times. The group field refers to the API group of the issuer which defaults to 'certmanager.k8s.io' if empty. properties: group: type: string kind: type: string name: type: string required: - name type: object required: - issuerRef type: object status: properties: ca: description: Byte slice containing the PEM encoded certificate authority of the signed certificate. format: byte type: string certificate: description: Byte slice containing a PEM encoded signed certificate resulting from the given certificate signing request. format: byte type: string conditions: items: properties: lastTransitionTime: description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. format: date-time type: string message: description: Message is a human readable description of the details of the last transition, complementing reason. type: string reason: description: Reason is a brief machine readable explanation for the condition's last transition. type: string status: description: Status of the condition, one of ('True', 'False', 'Unknown'). enum: - "True" - "False" - Unknown type: string type: description: Type of the condition, currently ('Ready'). type: string required: - type - status type: object type: array type: object version: v1alpha1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null labels: controller-tools.k8s.io: "1.0" name: challenges.certmanager.k8s.io spec: additionalPrinterColumns: - JSONPath: .status.state name: State type: string - JSONPath: .spec.dnsName name: Domain type: string - JSONPath: .status.reason name: Reason priority: 1 type: string - JSONPath: .metadata.creationTimestamp description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. name: Age type: date group: certmanager.k8s.io names: kind: Challenge plural: challenges scope: Namespaced validation: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: authzURL: description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of. type: string config: description: 'Config specifies the solver configuration for this challenge. Only **one** of ''config'' or ''solver'' may be specified, and if both are specified then no action will be performed on the Challenge resource. DEPRECATED: the ''solver'' field should be specified instead' type: object dnsName: description: DNSName is the identifier that this challenge is for, e.g. example.com. type: string issuerRef: description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. properties: group: type: string kind: type: string name: type: string required: - name type: object key: description: Key is the ACME challenge key for this challenge type: string solver: description: Solver contains the domain solving configuration that should be used to solve this challenge resource. Only **one** of 'config' or 'solver' may be specified, and if both are specified then no action will be performed on the Challenge resource. properties: selector: description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. properties: dnsNames: description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. items: type: string type: array dnsZones: description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. items: type: string type: array matchLabels: description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. type: object type: object type: object token: description: Token is the ACME challenge token for this challenge. type: string type: description: Type is the type of ACME challenge this resource represents, e.g. "dns01" or "http01" type: string url: description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. type: string wildcard: description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com' type: boolean required: - authzURL - type - url - dnsName - token - key - wildcard - issuerRef type: object status: properties: presented: description: Presented will be set to true if the challenge values for this challenge are currently 'presented'. This *does not* imply the self check is passing. Only that the values have been 'submitted' for the appropriate challenge mechanism (i.e. the DNS01 TXT record has been presented, or the HTTP01 configuration has been configured). type: boolean processing: description: Processing is used to denote whether this challenge should be processed or not. This field will only be set to true by the 'scheduling' component. It will only be set to false by the 'challenges' controller, after the challenge has reached a final state or timed out. If this field is set to false, the challenge controller will not take any more action. type: boolean reason: description: Reason contains human readable information on why the Challenge is in the current state. type: string state: description: State contains the current 'state' of the challenge. If not set, the state of the challenge is unknown. enum: - "" - valid - ready - pending - processing - invalid - expired - errored type: string required: - processing - presented - reason type: object required: - metadata - spec - status version: v1alpha1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null labels: controller-tools.k8s.io: "1.0" name: clusterissuers.certmanager.k8s.io spec: group: certmanager.k8s.io names: kind: ClusterIssuer plural: clusterissuers scope: Cluster validation: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: acme: properties: email: description: Email is the email for this account type: string privateKeySecretRef: description: PrivateKey is the name of a secret containing the private key for this user account. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object server: description: Server is the ACME server URL type: string skipTLSVerify: description: If true, skip verifying the ACME server TLS certificate type: boolean solvers: description: Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. items: properties: selector: description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. properties: dnsNames: description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. items: type: string type: array dnsZones: description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. items: type: string type: array matchLabels: description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. type: object type: object type: object type: array required: - server - privateKeySecretRef type: object ca: properties: secretName: description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. type: string required: - secretName type: object selfSigned: type: object vault: properties: auth: description: Vault authentication properties: appRole: description: This Secret contains a AppRole and Secret properties: path: description: Where the authentication path is mounted in Vault. type: string roleId: type: string secretRef: properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object required: - path - roleId - secretRef type: object tokenSecretRef: description: This Secret contains the Vault token key properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object type: object caBundle: description: Base64 encoded CA bundle to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. format: byte type: string path: description: Vault URL path to the certificate role type: string server: description: Server is the vault connection address type: string required: - auth - server - path type: object venafi: properties: cloud: description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. properties: apiTokenSecretRef: description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object url: description: URL is the base URL for Venafi Cloud type: string required: - url - apiTokenSecretRef type: object tpp: description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. properties: caBundle: description: CABundle is a PEM encoded TLS certifiate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. format: byte type: string credentialsRef: description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. properties: name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object url: description: URL is the base URL for the Venafi TPP instance type: string required: - url - credentialsRef type: object zone: description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. type: string required: - zone type: object type: object status: properties: acme: properties: lastRegisteredEmail: description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer type: string uri: description: URI is the unique account identifier, which can also be used to retrieve account details from the CA type: string type: object conditions: items: properties: lastTransitionTime: description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. format: date-time type: string message: description: Message is a human readable description of the details of the last transition, complementing reason. type: string reason: description: Reason is a brief machine readable explanation for the condition's last transition. type: string status: description: Status of the condition, one of ('True', 'False', 'Unknown'). enum: - "True" - "False" - Unknown type: string type: description: Type of the condition, currently ('Ready'). type: string required: - type - status type: object type: array type: object version: v1alpha1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null labels: controller-tools.k8s.io: "1.0" name: issuers.certmanager.k8s.io spec: group: certmanager.k8s.io names: kind: Issuer plural: issuers scope: Namespaced validation: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: acme: properties: email: description: Email is the email for this account type: string privateKeySecretRef: description: PrivateKey is the name of a secret containing the private key for this user account. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object server: description: Server is the ACME server URL type: string skipTLSVerify: description: If true, skip verifying the ACME server TLS certificate type: boolean solvers: description: Solvers is a list of challenge solvers that will be used to solve ACME challenges for the matching domains. items: properties: selector: description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. properties: dnsNames: description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. items: type: string type: array dnsZones: description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. items: type: string type: array matchLabels: description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. type: object type: object type: object type: array required: - server - privateKeySecretRef type: object ca: properties: secretName: description: SecretName is the name of the secret used to sign Certificates issued by this Issuer. type: string required: - secretName type: object selfSigned: type: object vault: properties: auth: description: Vault authentication properties: appRole: description: This Secret contains a AppRole and Secret properties: path: description: Where the authentication path is mounted in Vault. type: string roleId: type: string secretRef: properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object required: - path - roleId - secretRef type: object tokenSecretRef: description: This Secret contains the Vault token key properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object type: object caBundle: description: Base64 encoded CA bundle to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. format: byte type: string path: description: Vault URL path to the certificate role type: string server: description: Server is the vault connection address type: string required: - auth - server - path type: object venafi: properties: cloud: description: Cloud specifies the Venafi cloud configuration settings. Only one of TPP or Cloud may be specified. properties: apiTokenSecretRef: description: APITokenSecretRef is a secret key selector for the Venafi Cloud API token. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object url: description: URL is the base URL for Venafi Cloud type: string required: - url - apiTokenSecretRef type: object tpp: description: TPP specifies Trust Protection Platform configuration settings. Only one of TPP or Cloud may be specified. properties: caBundle: description: CABundle is a PEM encoded TLS certifiate to use to verify connections to the TPP instance. If specified, system roots will not be used and the issuing CA for the TPP instance must be verifiable using the provided root. If not specified, the connection will be verified using the cert-manager system root certificates. format: byte type: string credentialsRef: description: CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, 'username' and 'password'. properties: name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' type: string required: - name type: object url: description: URL is the base URL for the Venafi TPP instance type: string required: - url - credentialsRef type: object zone: description: Zone is the Venafi Policy Zone to use for this issuer. All requests made to the Venafi platform will be restricted by the named zone policy. This field is required. type: string required: - zone type: object type: object status: properties: acme: properties: lastRegisteredEmail: description: LastRegisteredEmail is the email associated with the latest registered ACME account, in order to track changes made to registered account associated with the Issuer type: string uri: description: URI is the unique account identifier, which can also be used to retrieve account details from the CA type: string type: object conditions: items: properties: lastTransitionTime: description: LastTransitionTime is the timestamp corresponding to the last status change of this condition. format: date-time type: string message: description: Message is a human readable description of the details of the last transition, complementing reason. type: string reason: description: Reason is a brief machine readable explanation for the condition's last transition. type: string status: description: Status of the condition, one of ('True', 'False', 'Unknown'). enum: - "True" - "False" - Unknown type: string type: description: Type of the condition, currently ('Ready'). type: string required: - type - status type: object type: array type: object version: v1alpha1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: creationTimestamp: null labels: controller-tools.k8s.io: "1.0" name: orders.certmanager.k8s.io spec: additionalPrinterColumns: - JSONPath: .status.state name: State type: string - JSONPath: .spec.issuerRef.name name: Issuer priority: 1 type: string - JSONPath: .status.reason name: Reason priority: 1 type: string - JSONPath: .metadata.creationTimestamp description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. name: Age type: date group: certmanager.k8s.io names: kind: Order plural: orders scope: Namespaced validation: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: commonName: description: CommonName is the common name as specified on the DER encoded CSR. If CommonName is not specified, the first DNSName specified will be used as the CommonName. At least one of CommonName or a DNSNames must be set. This field must match the corresponding field on the DER encoded CSR. type: string config: description: 'Config specifies a mapping from DNS identifiers to how those identifiers should be solved when performing ACME challenges. A config entry must exist for each domain listed in DNSNames and CommonName. Only **one** of ''config'' or ''solvers'' may be specified, and if both are specified then no action will be performed on the Order resource. This field will be removed when support for solver config specified on the Certificate under certificate.spec.acme has been removed. DEPRECATED: this field will be removed in future. Solver configuration must instead be provided on ACME Issuer resources.' items: properties: domains: description: Domains is the list of domains that this SolverConfig applies to. items: type: string type: array required: - domains type: object type: array csr: description: Certificate signing request bytes in DER encoding. This will be used when finalizing the order. This field must be set on the order. format: byte type: string dnsNames: description: DNSNames is a list of DNS names that should be included as part of the Order validation process. If CommonName is not specified, the first DNSName specified will be used as the CommonName. At least one of CommonName or a DNSNames must be set. This field must match the corresponding field on the DER encoded CSR. items: type: string type: array issuerRef: description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Order. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Order will be marked as failed. properties: group: type: string kind: type: string name: type: string required: - name type: object required: - csr - issuerRef type: object status: properties: certificate: description: Certificate is a copy of the PEM encoded certificate for this Order. This field will be populated after the order has been successfully finalized with the ACME server, and the order has transitioned to the 'valid' state. format: byte type: string challenges: description: Challenges is a list of ChallengeSpecs for Challenges that must be created in order to complete this Order. items: properties: authzURL: description: AuthzURL is the URL to the ACME Authorization resource that this challenge is a part of. type: string config: description: 'Config specifies the solver configuration for this challenge. Only **one** of ''config'' or ''solver'' may be specified, and if both are specified then no action will be performed on the Challenge resource. DEPRECATED: the ''solver'' field should be specified instead' type: object dnsName: description: DNSName is the identifier that this challenge is for, e.g. example.com. type: string issuerRef: description: IssuerRef references a properly configured ACME-type Issuer which should be used to create this Challenge. If the Issuer does not exist, processing will be retried. If the Issuer is not an 'ACME' Issuer, an error will be returned and the Challenge will be marked as failed. properties: group: type: string kind: type: string name: type: string required: - name type: object key: description: Key is the ACME challenge key for this challenge type: string solver: description: Solver contains the domain solving configuration that should be used to solve this challenge resource. Only **one** of 'config' or 'solver' may be specified, and if both are specified then no action will be performed on the Challenge resource. properties: selector: description: Selector selects a set of DNSNames on the Certificate resource that should be solved using this challenge solver. properties: dnsNames: description: List of DNSNames that this solver will be used to solve. If specified and a match is found, a dnsNames selector will take precedence over a dnsZones selector. If multiple solvers match with the same dnsNames value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. items: type: string type: array dnsZones: description: List of DNSZones that this solver will be used to solve. The most specific DNS zone match specified here will take precedence over other DNS zone matches, so a solver specifying sys.example.com will be selected over one specifying example.com for the domain www.sys.example.com. If multiple solvers match with the same dnsZones value, the solver with the most matching labels in matchLabels will be selected. If neither has more matches, the solver defined earlier in the list will be selected. items: type: string type: array matchLabels: description: A label selector that is used to refine the set of certificate's that this challenge solver will apply to. type: object type: object type: object token: description: Token is the ACME challenge token for this challenge. type: string type: description: Type is the type of ACME challenge this resource represents, e.g. "dns01" or "http01" type: string url: description: URL is the URL of the ACME Challenge resource for this challenge. This can be used to lookup details about the status of this challenge. type: string wildcard: description: Wildcard will be true if this challenge is for a wildcard identifier, for example '*.example.com' type: boolean required: - authzURL - type - url - dnsName - token - key - wildcard - issuerRef type: object type: array failureTime: description: FailureTime stores the time that this order failed. This is used to influence garbage collection and back-off. format: date-time type: string finalizeURL: description: FinalizeURL of the Order. This is used to obtain certificates for this order once it has been completed. type: string reason: description: Reason optionally provides more information about a why the order is in the current state. type: string state: description: State contains the current state of this Order resource. States 'success' and 'expired' are 'final' enum: - "" - valid - ready - pending - processing - invalid - expired - errored type: string url: description: URL of the Order. This will initially be empty when the resource is first created. The Order controller will populate this field when the Order is first processed. This field will be immutable after it is initially set. type: string type: object required: - metadata - spec - status version: v1alpha1 status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] ---