From 5c016015efea03035844dea2a60e49335a922b4a Mon Sep 17 00:00:00 2001 From: kjubybot Date: Mon, 17 Feb 2025 20:05:59 +0100 Subject: [PATCH] add cert-manager for easy cert issuing --- k8s/flux.cue | 42 +- .../challenge/v1/types_gen.cue | 2798 ++++++++++++++ .../order/v1/types_gen.cue | 95 + .../certificate/v1/types_gen.cue | 562 +++ .../certificaterequest/v1/types_gen.cue | 160 + .../clusterissuer/v1/types_gen.cue | 3267 +++++++++++++++++ .../cert-manager.io/issuer/v1/types_gen.cue | 3265 ++++++++++++++++ k8s/timoni/codebattle/templates/config.cue | 7 +- k8s/timoni/codebattle/templates/httproute.cue | 4 +- k8s/timoni/codebattle/templates/issuer.cue | 25 + k8s/timoni/gateway/templates/config.cue | 1 + k8s/timoni/gateway/templates/gateway.cue | 11 +- k8s/timoni/gateway/templates/httproute.cue | 24 + .../kustomize-oci/templates/kustomization.cue | 5 +- k8s/timoni/values.cue | 1 + 15 files changed, 10251 insertions(+), 16 deletions(-) create mode 100644 k8s/timoni/codebattle/cue.mod/gen/acme.cert-manager.io/challenge/v1/types_gen.cue create mode 100644 k8s/timoni/codebattle/cue.mod/gen/acme.cert-manager.io/order/v1/types_gen.cue create mode 100644 k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue create mode 100644 k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/certificaterequest/v1/types_gen.cue create mode 100644 k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/clusterissuer/v1/types_gen.cue create mode 100644 k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/issuer/v1/types_gen.cue create mode 100644 k8s/timoni/codebattle/templates/issuer.cue create mode 100644 k8s/timoni/gateway/templates/httproute.cue diff --git a/k8s/flux.cue b/k8s/flux.cue index 4594ff1d8..556da731b 100644 --- a/k8s/flux.cue +++ b/k8s/flux.cue @@ -2,6 +2,26 @@ bundle: { apiVersion: "v1alpha1" name: "codebattle" instances: { + "cert-manager": { + module: url: "oci://ghcr.io/stefanprodan/modules/flux-helm-release" + namespace: "flux-system" + values: { + repository: url: "https://charts.jetstack.io" + chart: { + name: "cert-manager" + version: "v1.17.0" + } + sync: targetNamespace: "codebattle" + helmValues: { + crds: enabled: true + config: { + apiVersion: "controller.config.cert-manager.io/v1alpha1" + kind: "ControllerConfiguration" + enableGatewayAPI: true + } + } + } + } "gateway": { module: url: "oci://ghcr.io/stefanprodan/modules/flux-helm-release" namespace: "flux-system" @@ -26,17 +46,23 @@ bundle: { username: string @timoni(runtime:string:GITHUB_USERNAME) password: string @timoni(runtime:string:GITHUB_TOKEN) } + _hostname: string @timoni(runtime:string:CODEBATTLE_HOSTNAME) patches: [{ - apiVersion: "gateway.networking.k8s.io/v1" - kind: "HTTPRoute" - metadata: { - name: "codebattle" + patch: [{ + op: "add" + path: "/spec/listeners/0/hostname" + value: _hostname + }, { + op: "add" + path: "/spec/listeners/1/hostname" + value: _hostname + }] + target: { + group: "gateway.networking.k8s.io" + kind: "Gateway" + name: "gateway" namespace: "codebattle" } - spec: { - _hostname: string @timoni(runtime:string:CODEBATTLE_HOSTNAME) - hostnames: [_hostname] - } }] } } diff --git a/k8s/timoni/codebattle/cue.mod/gen/acme.cert-manager.io/challenge/v1/types_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/acme.cert-manager.io/challenge/v1/types_gen.cue new file mode 100644 index 000000000..613b4c7b9 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/acme.cert-manager.io/challenge/v1/types_gen.cue @@ -0,0 +1,2798 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml + +package v1 + +import "strings" + +// Challenge is a type to represent a Challenge request with an +// ACME server +#Challenge: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "acme.cert-manager.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Challenge" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + spec!: #ChallengeSpec +} +#ChallengeSpec: { + // The URL to the ACME Authorization resource that this + // challenge is a part of. + authorizationURL!: string + + // dnsName is the identifier that this challenge is for, e.g. + // example.com. + // If the requested DNSName is a 'wildcard', this field MUST be + // set to the + // non-wildcard domain, e.g. for `*.example.com`, it must be + // `example.com`. + dnsName!: string + + // References a properly configured ACME-type Issuer which should + // be used to create this Challenge. + // If the Issuer does not exist, processing will be retried. + // If the Issuer is not an 'ACME' Issuer, an error will be + // returned and the + // Challenge will be marked as failed. + issuerRef!: { + // Group of the resource being referred to. + group?: string + + // Kind of the resource being referred to. + kind?: string + + // Name of the resource being referred to. + name!: string + } + + // The ACME challenge key for this challenge + // For HTTP01 challenges, this is the value that must be responded + // with to + // complete the HTTP01 challenge in the format: + // `.`. + // For DNS01 challenges, this is the base64 encoded SHA256 sum of + // the + // `.` + // text that must be set as the TXT record content. + key!: string + + // Contains the domain solving configuration that should be used + // to + // solve this challenge resource. + solver!: { + // Configures cert-manager to attempt to complete authorizations + // by + // performing the DNS01 challenge flow. + dns01?: { + // Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to + // manage + // DNS01 challenge records. + acmeDNS?: { + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + accountSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + host!: string + } + + // Use the Akamai DNS zone management API to manage DNS01 + // challenge records. + akamai?: { + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + accessTokenSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + clientSecretSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + clientTokenSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + serviceConsumerDomain!: string + } + + // Use the Microsoft Azure DNS API to manage DNS01 challenge + // records. + azureDNS?: { + // Auth: Azure Service Principal: + // The ClientID of the Azure Service Principal used to + // authenticate with Azure DNS. + // If set, ClientSecret and TenantID must also be set. + clientID?: string + + // Auth: Azure Service Principal: + // A reference to a Secret containing the password associated with + // the Service Principal. + // If set, ClientID and TenantID must also be set. + clientSecretSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // name of the Azure environment (default AzurePublicCloud) + environment?: "AzurePublicCloud" | "AzureChinaCloud" | "AzureGermanCloud" | "AzureUSGovernmentCloud" + + // name of the DNS zone that should be used + hostedZoneName?: string + + // Auth: Azure Workload Identity or Azure Managed Service + // Identity: + // Settings to enable Azure Workload Identity or Azure Managed + // Service Identity + // If set, ClientID, ClientSecret and TenantID must not be set. + managedIdentity?: { + // client ID of the managed identity, can not be used at the same + // time as resourceID + clientID?: string + + // resource ID of the managed identity, can not be used at the + // same time as clientID + // Cannot be used for Azure Managed Service Identity + resourceID?: string + + // tenant ID of the managed identity, can not be used at the same + // time as resourceID + tenantID?: string + } + + // resource group the DNS zone is located in + resourceGroupName!: string + + // ID of the Azure subscription + subscriptionID!: string + + // Auth: Azure Service Principal: + // The TenantID of the Azure Service Principal used to + // authenticate with Azure DNS. + // If set, ClientID and ClientSecret must also be set. + tenantID?: string + } + + // Use the Google Cloud DNS API to manage DNS01 challenge records. + cloudDNS?: { + // HostedZoneName is an optional field that tells cert-manager in + // which + // Cloud DNS zone the challenge record has to be created. + // If left empty cert-manager will automatically choose a zone. + hostedZoneName?: string + project!: string + + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + serviceAccountSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // Use the Cloudflare API to manage DNS01 challenge records. + cloudflare?: { + // API key to use to authenticate with Cloudflare. + // Note: using an API token to authenticate is now the recommended + // method + // as it allows greater control of permissions. + apiKeySecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // API token used to authenticate with Cloudflare. + apiTokenSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // Email of the account, only required when using API key based + // authentication. + email?: string + } + + // CNAMEStrategy configures how the DNS01 provider should handle + // CNAME + // records when found in DNS zones. + cnameStrategy?: "None" | "Follow" + digitalocean?: { + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + tokenSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // Use RFC2136 ("Dynamic Updates in the Domain Name System") + // (https://datatracker.ietf.org/doc/rfc2136/) + // to manage DNS01 challenge records. + rfc2136?: { + // The IP address or hostname of an authoritative DNS server + // supporting + // RFC2136 in the form host:port. If the host is an IPv6 address + // it must be + // enclosed in square brackets (e.g [2001:db8::1]) ; port is + // optional. + // This field is required. + nameserver!: string + + // The TSIG Algorithm configured in the DNS supporting RFC2136. + // Used only + // when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. + // Supported values are (case-insensitive): ``HMACMD5`` (default), + // ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. + tsigAlgorithm?: string + + // The TSIG Key name configured in the DNS. + // If ``tsigSecretSecretRef`` is defined, this field is required. + tsigKeyName?: string + + // The name of the secret containing the TSIG value. + // If ``tsigKeyName`` is defined, this field is required. + tsigSecretSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // Use the AWS Route53 API to manage DNS01 challenge records. + route53?: { + // The AccessKeyID is used for authentication. + // Cannot be set when SecretAccessKeyID is set. + // If neither the Access Key nor Key ID are set, we fall-back to + // using env + // vars, shared credentials file or AWS Instance metadata, + // see: + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + accessKeyID?: string + + // The SecretAccessKey is used for authentication. If set, pull + // the AWS + // access key ID from a key within a Kubernetes Secret. + // Cannot be set when AccessKeyID is set. + // If neither the Access Key nor Key ID are set, we fall-back to + // using env + // vars, shared credentials file or AWS Instance metadata, + // see: + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + accessKeyIDSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + auth?: { + kubernetes!: { + // A reference to a service account that will be used to request a + // bound + // token (also known as "projected token"). To use this field, you + // must + // configure an RBAC rule to let cert-manager request a token. + serviceAccountRef!: { + // TokenAudiences is an optional list of audiences to include in + // the + // token passed to AWS. The default token consisting of the + // issuer's namespace + // and name is always included. + // If unset the audience defaults to `sts.amazonaws.com`. + audiences?: [...string] + + // Name of the ServiceAccount used to request a token. + name!: string + } + } + } + + // If set, the provider will manage only this zone in Route53 and + // will not do a lookup using the route53:ListHostedZonesByName + // api call. + hostedZoneID?: string + + // Override the AWS region. + // + // Route53 is a global service and does not have regional + // endpoints but the + // region specified here (or via environment variables) is used as + // a hint to + // help compute the correct AWS credential scope and partition + // when it + // connects to Route53. See: + // - [Amazon Route 53 endpoints and + // quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) + // - [Global + // services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) + // + // If you omit this region field, cert-manager will use the region + // from + // AWS_REGION and AWS_DEFAULT_REGION environment variables, if + // they are set + // in the cert-manager controller Pod. + // + // The `region` field is not needed if you use [IAM Roles for + // Service Accounts + // (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). + // Instead an AWS_REGION environment variable is added to the + // cert-manager controller Pod by: + // [Amazon EKS Pod Identity + // Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). + // In this case this `region` field value is ignored. + // + // The `region` field is not needed if you use [EKS Pod + // Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). + // Instead an AWS_REGION environment variable is added to the + // cert-manager controller Pod by: + // [Amazon EKS Pod Identity + // Agent](https://github.com/aws/eks-pod-identity-agent), + // In this case this `region` field value is ignored. + region?: string + + // Role is a Role ARN which the Route53 provider will assume using + // either the explicit credentials AccessKeyID/SecretAccessKey + // or the inferred credentials from environment variables, shared + // credentials file or AWS Instance metadata + role?: string + + // The SecretAccessKey is used for authentication. + // If neither the Access Key nor Key ID are set, we fall-back to + // using env + // vars, shared credentials file or AWS Instance metadata, + // see: + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + secretAccessKeySecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // Configure an external webhook based DNS01 challenge solver to + // manage + // DNS01 challenge records. + webhook?: { + // Additional configuration that should be passed to the webhook + // apiserver + // when challenges are processed. + // This can contain arbitrary JSON data. + // Secret values should not be specified in this stanza. + // If secret values are needed (e.g. credentials for a DNS + // service), you + // should use a SecretKeySelector to reference a Secret resource. + // For details on the schema of this field, consult the webhook + // provider + // implementation's documentation. + config?: _ + + // The API group name that should be used when POSTing + // ChallengePayload + // resources to the webhook apiserver. + // This should be the same as the GroupName specified in the + // webhook + // provider implementation. + groupName!: string + + // The name of the solver to use, as defined in the webhook + // provider + // implementation. + // This will typically be the name of the provider, e.g. + // 'cloudflare'. + solverName!: string + } + } + + // Configures cert-manager to attempt to complete authorizations + // by + // performing the HTTP01 challenge flow. + // It is not possible to obtain certificates for wildcard domain + // names + // (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + http01?: { + // The Gateway API is a sig-network community API that models + // service networking + // in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway + // solver will + // create HTTPRoutes with the specified labels in the same + // namespace as the challenge. + // This solver is experimental, and fields / behaviour may change + // in the future. + gatewayHTTPRoute?: { + // Custom labels that will be applied to HTTPRoutes created by + // cert-manager + // while solving HTTP-01 challenges. + labels?: close({ + [string]: string + }) + + // When solving an HTTP-01 challenge, cert-manager creates an + // HTTPRoute. + // cert-manager needs to know which parentRefs should be used when + // creating + // the HTTPRoute. Usually, the parentRef references a Gateway. + // See: + // https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways + parentRefs?: [...{ + // Group is the group of the referent. + // When unspecified, "gateway.networking.k8s.io" is inferred. + // To set the core API group (such as for a "Service" kind + // referent), + // Group must be explicitly set to "" (empty string). + // + // Support: Core + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is kind of the referent. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // Support for other resources is Implementation-Specific. + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Gateway" + + // Name is the name of the referent. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. When unspecified, + // this refers + // to the local namespace of the Route. + // + // Note that there are specific rules for ParentRefs which cross + // namespace + // boundaries. Cross-namespace references are only valid if they + // are explicitly + // allowed by something in the namespace they are referring to. + // For example: + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable any other kind of cross-namespace + // reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + // + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port is the network port this Route targets. It can be + // interpreted + // differently based on the type of parent resource. + // + // When the parent resource is a Gateway, this targets all + // listeners + // listening on the specified port that also support this kind of + // Route(and + // select this Route). It's not recommended to set `Port` unless + // the + // networking behaviors specified in a Route must apply to a + // specific port + // as opposed to a listener(s) whose port(s) may be changed. When + // both Port + // and SectionName are specified, the name and port of the + // selected listener + // must match both specified values. + // + // + // When the parent resource is a Service, this targets a specific + // port in the + // Service spec. When both Port (experimental) and SectionName are + // specified, + // the name and port of the selected port must match both + // specified values. + // + // + // Implementations MAY choose to support other parent resources. + // Implementations supporting other types of parent resources MUST + // clearly + // document how/if Port is interpreted. + // + // For the purpose of status, an attachment is considered + // successful as + // long as the parent resource accepts it partially. For example, + // Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment + // from the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, + // the Route MUST be considered detached from the Gateway. + // + // Support: Extended + port?: uint16 & >=1 + + // SectionName is the name of a section within the target + // resource. In the + // following resources, SectionName is interpreted as the + // following: + // + // * Gateway: Listener name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // * Service: Port name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // + // Implementations MAY choose to support attaching Routes to other + // resources. + // If that is the case, they MUST clearly document how SectionName + // is + // interpreted. + // + // When unspecified (empty string), this will reference the entire + // resource. + // For the purpose of status, an attachment is considered + // successful if at + // least one section in the parent resource accepts it. For + // example, Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment from + // the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, the + // Route MUST be considered detached from the Gateway. + // + // Support: Core + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // Optional pod template used to configure the ACME challenge + // solver pods + // used for HTTP01 challenges. + podTemplate?: { + // ObjectMeta overrides for the pod used to solve HTTP01 + // challenges. + // Only the 'labels' and 'annotations' fields may be set. + // If labels or annotations overlap with in-built values, the + // values here + // will override the in-built values. + metadata?: { + // Annotations that should be added to the created ACME HTTP01 + // solver pods. + annotations?: close({ + [string]: string + }) + + // Labels that should be added to the created ACME HTTP01 solver + // pods. + labels?: close({ + [string]: string + }) + } + + // PodSpec defines overrides for the HTTP01 challenge solver pod. + // Check ACMEChallengeSolverHTTP01IngressPodSpec to find out + // currently supported fields. + // All other fields will be ignored. + spec?: { + // If specified, the pod's scheduling constraints + affinity?: { + // Describes node affinity scheduling rules for the pod. + nodeAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node matches the corresponding + // matchExpressions; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // A node selector term, associated with the corresponding weight. + preference!: { + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + } + + // Weight associated with matching the corresponding + // nodeSelectorTerm, in the range 1-100. + weight!: int32 + }] + requiredDuringSchedulingIgnoredDuringExecution?: { + // Required. A list of node selector terms. The terms are ORed. + nodeSelectorTerms!: [...{ + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + }] + } + } + + // Describes pod affinity scheduling rules (e.g. co-locate this + // pod in the same node, zone, etc. as some other pod(s)). + podAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the affinity requirements specified by this field are not + // met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to + // be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + + // Describes pod anti-affinity scheduling rules (e.g. avoid + // putting this pod in the same node, zone, etc. as some other + // pod(s)). + podAntiAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the anti-affinity expressions specified by this field, but it + // may choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling anti-affinity expressions, + // etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the anti-affinity requirements specified by this field are + // not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the anti-affinity requirements specified by this field cease + // to be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + } + + // If specified, the pod's imagePullSecrets + imagePullSecrets?: [...{ + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + }] + + // NodeSelector is a selector which must be true for the pod to + // fit on a node. + // Selector which must match a node's labels for the pod to be + // scheduled on that node. + // More info: + // https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector?: close({ + [string]: string + }) + + // If specified, the pod's priorityClassName. + priorityClassName?: string + + // If specified, the pod's security context + securityContext?: { + // A special supplemental group that applies to all containers in + // a pod. + // Some volume types allow the Kubelet to change the ownership of + // that volume + // to be owned by the pod: + // + // 1. The owning GID will be the FSGroup + // 2. The setgid bit is set (new files created in the volume will + // be owned by FSGroup) + // 3. The permission bits are OR'd with rw-rw---- + // + // If unset, the Kubelet will not modify the ownership and + // permissions of any volume. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroup?: int64 + + // fsGroupChangePolicy defines behavior of changing ownership and + // permission of the volume + // before being exposed inside Pod. This field will only apply to + // volume types which support fsGroup based ownership(and + // permissions). + // It will have no effect on ephemeral volume types such as: + // secret, configmaps + // and emptydir. + // Valid values are "OnRootMismatch" and "Always". If not + // specified, "Always" is used. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroupChangePolicy?: string + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsGroup?: int64 + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to + // ensure that it + // does not run as UID 0 (root) and fail to start the container if + // it does. + // If unset or false, no such validation will be performed. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsNonRoot?: bool + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsUser?: int64 + + // The SELinux context to be applied to all containers. + // If unspecified, the container runtime will allocate a random + // SELinux context for each + // container. May also be set in SecurityContext. If set in + // both SecurityContext and PodSecurityContext, the value + // specified in SecurityContext + // takes precedence for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + seLinuxOptions?: { + // Level is SELinux level label that applies to the container. + level?: string + + // Role is a SELinux role label that applies to the container. + role?: string + + // Type is a SELinux type label that applies to the container. + type?: string + + // User is a SELinux user label that applies to the container. + user?: string + } + + // The seccomp options to use by the containers in this pod. + // Note that this field cannot be set when spec.os.name is + // windows. + seccompProfile?: { + // localhostProfile indicates a profile defined in a file on the + // node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured + // seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any + // other type. + localhostProfile?: string + + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be + // used. + // RuntimeDefault - the container runtime default profile should + // be used. + // Unconfined - no profile should be applied. + type!: string + } + + // A list of groups applied to the first process run in each + // container, in addition + // to the container's primary GID, the fsGroup (if specified), and + // group memberships + // defined in the container image for the uid of the container + // process. If unspecified, + // no additional groups are added to any container. Note that + // group memberships + // defined in the container image for the uid of the container + // process are still effective, + // even if they are not included in this list. + // Note that this field cannot be set when spec.os.name is + // windows. + supplementalGroups?: [...int64 & int] + + // Sysctls hold a list of namespaced sysctls used for the pod. + // Pods with unsupported + // sysctls (by the container runtime) might fail to launch. + // Note that this field cannot be set when spec.os.name is + // windows. + sysctls?: [...{ + // Name of a property to set + name!: string + + // Value of a property to set + value!: string + }] + } + + // If specified, the pod's service account + serviceAccountName?: string + + // If specified, the pod's tolerations. + tolerations?: [...{ + // Effect indicates the taint effect to match. Empty means match + // all taint effects. + // When specified, allowed values are NoSchedule, PreferNoSchedule + // and NoExecute. + effect?: string + + // Key is the taint key that the toleration applies to. Empty + // means match all taint keys. + // If the key is empty, operator must be Exists; this combination + // means to match all values and all keys. + key?: string + + // Operator represents a key's relationship to the value. + // Valid operators are Exists and Equal. Defaults to Equal. + // Exists is equivalent to wildcard for value, so that a pod can + // tolerate all taints of a particular category. + operator?: string + + // TolerationSeconds represents the period of time the toleration + // (which must be + // of effect NoExecute, otherwise this field is ignored) tolerates + // the taint. By default, + // it is not set, which means tolerate the taint forever (do not + // evict). Zero and + // negative values will be treated as 0 (evict immediately) by the + // system. + tolerationSeconds?: int64 + + // Value is the taint value the toleration matches to. + // If the operator is Exists, the value should be empty, otherwise + // just a regular string. + value?: string + }] + } + } + + // Optional service type for Kubernetes solver service. Supported + // values + // are NodePort or ClusterIP. If unset, defaults to NodePort. + serviceType?: string + } + + // The ingress based HTTP01 challenge solver will solve challenges + // by + // creating or modifying Ingress resources in order to route + // requests for + // '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods + // that are + // provisioned by cert-manager for each Challenge to be completed. + ingress?: { + // This field configures the annotation + // `kubernetes.io/ingress.class` when + // creating Ingress resources to solve ACME challenges that use + // this + // challenge solver. Only one of `class`, `name` or + // `ingressClassName` may + // be specified. + class?: string + + // This field configures the field `ingressClassName` on the + // created Ingress + // resources used to solve ACME challenges that use this challenge + // solver. + // This is the recommended way of configuring the ingress class. + // Only one of + // `class`, `name` or `ingressClassName` may be specified. + ingressClassName?: string + ingressTemplate?: { + // ObjectMeta overrides for the ingress used to solve HTTP01 + // challenges. + // Only the 'labels' and 'annotations' fields may be set. + // If labels or annotations overlap with in-built values, the + // values here + // will override the in-built values. + metadata?: { + // Annotations that should be added to the created ACME HTTP01 + // solver ingress. + annotations?: close({ + [string]: string + }) + + // Labels that should be added to the created ACME HTTP01 solver + // ingress. + labels?: close({ + [string]: string + }) + } + } + + // The name of the ingress resource that should have ACME + // challenge solving + // routes inserted into it in order to solve HTTP01 challenges. + // This is typically used in conjunction with ingress controllers + // like + // ingress-gce, which maintains a 1:1 mapping between external IPs + // and + // ingress resources. Only one of `class`, `name` or + // `ingressClassName` may + // be specified. + name?: string + + // Optional pod template used to configure the ACME challenge + // solver pods + // used for HTTP01 challenges. + podTemplate?: { + // ObjectMeta overrides for the pod used to solve HTTP01 + // challenges. + // Only the 'labels' and 'annotations' fields may be set. + // If labels or annotations overlap with in-built values, the + // values here + // will override the in-built values. + metadata?: { + // Annotations that should be added to the created ACME HTTP01 + // solver pods. + annotations?: close({ + [string]: string + }) + + // Labels that should be added to the created ACME HTTP01 solver + // pods. + labels?: close({ + [string]: string + }) + } + + // PodSpec defines overrides for the HTTP01 challenge solver pod. + // Check ACMEChallengeSolverHTTP01IngressPodSpec to find out + // currently supported fields. + // All other fields will be ignored. + spec?: { + // If specified, the pod's scheduling constraints + affinity?: { + // Describes node affinity scheduling rules for the pod. + nodeAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node matches the corresponding + // matchExpressions; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // A node selector term, associated with the corresponding weight. + preference!: { + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + } + + // Weight associated with matching the corresponding + // nodeSelectorTerm, in the range 1-100. + weight!: int32 + }] + requiredDuringSchedulingIgnoredDuringExecution?: { + // Required. A list of node selector terms. The terms are ORed. + nodeSelectorTerms!: [...{ + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + }] + } + } + + // Describes pod affinity scheduling rules (e.g. co-locate this + // pod in the same node, zone, etc. as some other pod(s)). + podAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the affinity requirements specified by this field are not + // met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to + // be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + + // Describes pod anti-affinity scheduling rules (e.g. avoid + // putting this pod in the same node, zone, etc. as some other + // pod(s)). + podAntiAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the anti-affinity expressions specified by this field, but it + // may choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling anti-affinity expressions, + // etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the anti-affinity requirements specified by this field are + // not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the anti-affinity requirements specified by this field cease + // to be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + } + + // If specified, the pod's imagePullSecrets + imagePullSecrets?: [...{ + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + }] + + // NodeSelector is a selector which must be true for the pod to + // fit on a node. + // Selector which must match a node's labels for the pod to be + // scheduled on that node. + // More info: + // https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector?: close({ + [string]: string + }) + + // If specified, the pod's priorityClassName. + priorityClassName?: string + + // If specified, the pod's security context + securityContext?: { + // A special supplemental group that applies to all containers in + // a pod. + // Some volume types allow the Kubelet to change the ownership of + // that volume + // to be owned by the pod: + // + // 1. The owning GID will be the FSGroup + // 2. The setgid bit is set (new files created in the volume will + // be owned by FSGroup) + // 3. The permission bits are OR'd with rw-rw---- + // + // If unset, the Kubelet will not modify the ownership and + // permissions of any volume. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroup?: int64 + + // fsGroupChangePolicy defines behavior of changing ownership and + // permission of the volume + // before being exposed inside Pod. This field will only apply to + // volume types which support fsGroup based ownership(and + // permissions). + // It will have no effect on ephemeral volume types such as: + // secret, configmaps + // and emptydir. + // Valid values are "OnRootMismatch" and "Always". If not + // specified, "Always" is used. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroupChangePolicy?: string + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsGroup?: int64 + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to + // ensure that it + // does not run as UID 0 (root) and fail to start the container if + // it does. + // If unset or false, no such validation will be performed. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsNonRoot?: bool + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsUser?: int64 + + // The SELinux context to be applied to all containers. + // If unspecified, the container runtime will allocate a random + // SELinux context for each + // container. May also be set in SecurityContext. If set in + // both SecurityContext and PodSecurityContext, the value + // specified in SecurityContext + // takes precedence for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + seLinuxOptions?: { + // Level is SELinux level label that applies to the container. + level?: string + + // Role is a SELinux role label that applies to the container. + role?: string + + // Type is a SELinux type label that applies to the container. + type?: string + + // User is a SELinux user label that applies to the container. + user?: string + } + + // The seccomp options to use by the containers in this pod. + // Note that this field cannot be set when spec.os.name is + // windows. + seccompProfile?: { + // localhostProfile indicates a profile defined in a file on the + // node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured + // seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any + // other type. + localhostProfile?: string + + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be + // used. + // RuntimeDefault - the container runtime default profile should + // be used. + // Unconfined - no profile should be applied. + type!: string + } + + // A list of groups applied to the first process run in each + // container, in addition + // to the container's primary GID, the fsGroup (if specified), and + // group memberships + // defined in the container image for the uid of the container + // process. If unspecified, + // no additional groups are added to any container. Note that + // group memberships + // defined in the container image for the uid of the container + // process are still effective, + // even if they are not included in this list. + // Note that this field cannot be set when spec.os.name is + // windows. + supplementalGroups?: [...int64 & int] + + // Sysctls hold a list of namespaced sysctls used for the pod. + // Pods with unsupported + // sysctls (by the container runtime) might fail to launch. + // Note that this field cannot be set when spec.os.name is + // windows. + sysctls?: [...{ + // Name of a property to set + name!: string + + // Value of a property to set + value!: string + }] + } + + // If specified, the pod's service account + serviceAccountName?: string + + // If specified, the pod's tolerations. + tolerations?: [...{ + // Effect indicates the taint effect to match. Empty means match + // all taint effects. + // When specified, allowed values are NoSchedule, PreferNoSchedule + // and NoExecute. + effect?: string + + // Key is the taint key that the toleration applies to. Empty + // means match all taint keys. + // If the key is empty, operator must be Exists; this combination + // means to match all values and all keys. + key?: string + + // Operator represents a key's relationship to the value. + // Valid operators are Exists and Equal. Defaults to Equal. + // Exists is equivalent to wildcard for value, so that a pod can + // tolerate all taints of a particular category. + operator?: string + + // TolerationSeconds represents the period of time the toleration + // (which must be + // of effect NoExecute, otherwise this field is ignored) tolerates + // the taint. By default, + // it is not set, which means tolerate the taint forever (do not + // evict). Zero and + // negative values will be treated as 0 (evict immediately) by the + // system. + tolerationSeconds?: int64 + + // Value is the taint value the toleration matches to. + // If the operator is Exists, the value should be empty, otherwise + // just a regular string. + value?: string + }] + } + } + + // Optional service type for Kubernetes solver service. Supported + // values + // are NodePort or ClusterIP. If unset, defaults to NodePort. + serviceType?: string + } + } + + // Selector selects a set of DNSNames on the Certificate resource + // that + // should be solved using this challenge solver. + // If not specified, the solver will be treated as the 'default' + // solver + // with the lowest priority, i.e. if any other solver has a more + // specific + // match, it will be used instead. + selector?: { + // List of DNSNames that this solver will be used to solve. + // If specified and a match is found, a dnsNames selector will + // take + // precedence over a dnsZones selector. + // If multiple solvers match with the same dnsNames value, the + // solver + // with the most matching labels in matchLabels will be selected. + // If neither has more matches, the solver defined earlier in the + // list + // will be selected. + dnsNames?: [...string] + + // List of DNSZones that this solver will be used to solve. + // The most specific DNS zone match specified here will take + // precedence + // over other DNS zone matches, so a solver specifying + // sys.example.com + // will be selected over one specifying example.com for the domain + // www.sys.example.com. + // If multiple solvers match with the same dnsZones value, the + // solver + // with the most matching labels in matchLabels will be selected. + // If neither has more matches, the solver defined earlier in the + // list + // will be selected. + dnsZones?: [...string] + + // A label selector that is used to refine the set of + // certificate's that + // this challenge solver will apply to. + matchLabels?: close({ + [string]: string + }) + } + } + + // The ACME challenge token for this challenge. + // This is the raw value returned from the ACME server. + token!: string + + // The type of ACME challenge this resource represents. + // One of "HTTP-01" or "DNS-01". + type!: "HTTP-01" | "DNS-01" + + // The URL of the ACME Challenge resource for this challenge. + // This can be used to lookup details about the status of this + // challenge. + url!: string + + // wildcard will be true if this challenge is for a wildcard + // identifier, + // for example '*.example.com'. + wildcard?: bool +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/acme.cert-manager.io/order/v1/types_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/acme.cert-manager.io/order/v1/types_gen.cue new file mode 100644 index 000000000..2703f0034 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/acme.cert-manager.io/order/v1/types_gen.cue @@ -0,0 +1,95 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml + +package v1 + +import "strings" + +// Order is a type to represent an Order with an ACME server +#Order: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "acme.cert-manager.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Order" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + spec!: #OrderSpec +} +#OrderSpec: { + // CommonName is the common name as specified on the DER encoded + // CSR. + // If specified, this value must also be present in `dnsNames` or + // `ipAddresses`. + // This field must match the corresponding field on the DER + // encoded CSR. + commonName?: string + + // DNSNames is a list of DNS names that should be included as part + // of the Order + // validation process. + // This field must match the corresponding field on the DER + // encoded CSR. + dnsNames?: [...string] + + // Duration is the duration for the not after date for the + // requested certificate. + // this is set on order creation as pe the ACME spec. + duration?: string + + // IPAddresses is a list of IP addresses that should be included + // as part of the Order + // validation process. + // This field must match the corresponding field on the DER + // encoded CSR. + ipAddresses?: [...string] + + // IssuerRef references a properly configured ACME-type Issuer + // which should + // be used to create this Order. + // If the Issuer does not exist, processing will be retried. + // If the Issuer is not an 'ACME' Issuer, an error will be + // returned and the + // Order will be marked as failed. + issuerRef!: { + // Group of the resource being referred to. + group?: string + + // Kind of the resource being referred to. + kind?: string + + // Name of the resource being referred to. + name!: string + } + + // Certificate signing request bytes in DER encoding. + // This will be used when finalizing the order. + // This field must be set on the order. + request!: string +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue new file mode 100644 index 000000000..f2a648fa6 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue @@ -0,0 +1,562 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml + +package v1 + +import "strings" + +// A Certificate resource should be created to ensure an up to +// date and signed +// X.509 certificate is stored in the Kubernetes Secret resource +// named in `spec.secretName`. +// +// The stored certificate will be renewed before it expires (as +// configured by `spec.renewBefore`). +#Certificate: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "cert-manager.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Certificate" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Specification of the desired state of the Certificate resource. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + spec!: #CertificateSpec +} + +// Specification of the desired state of the Certificate resource. +// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +#CertificateSpec: { + // Defines extra output formats of the private key and signed + // certificate chain + // to be written to this Certificate's target Secret. + // + // This is a Beta Feature enabled by default. It can be disabled + // with the + // `--feature-gates=AdditionalCertificateOutputFormats=false` + // option set on both + // the controller and webhook components. + additionalOutputFormats?: [...{ + // Type is the name of the format type that should be written to + // the + // Certificate's target Secret. + type!: "DER" | "CombinedPEM" + }] + + // Requested common name X509 certificate subject attribute. + // More info: + // https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 + // NOTE: TLS clients will ignore this value when any subject + // alternative name is + // set (see https://tools.ietf.org/html/rfc6125#section-6.4.4). + // + // Should have a length of 64 characters or fewer to avoid + // generating invalid CSRs. + // Cannot be set if the `literalSubject` field is set. + commonName?: string + + // Requested DNS subject alternative names. + dnsNames?: [...string] + + // Requested 'duration' (i.e. lifetime) of the Certificate. Note + // that the + // issuer may choose to ignore the requested duration, just like + // any other + // requested attribute. + // + // If unset, this defaults to 90 days. + // Minimum accepted duration is 1 hour. + // Value must be in units accepted by Go time.ParseDuration + // https://golang.org/pkg/time/#ParseDuration. + duration?: string + + // Requested email subject alternative names. + emailAddresses?: [...string] + + // Whether the KeyUsage and ExtKeyUsage extensions should be set + // in the encoded CSR. + // + // This option defaults to true, and should only be disabled if + // the target + // issuer does not support CSRs with these X509 KeyUsage/ + // ExtKeyUsage extensions. + encodeUsagesInRequest?: bool + + // Requested IP address subject alternative names. + ipAddresses?: [...string] + + // Requested basic constraints isCA value. + // The isCA value is used to set the `isCA` field on the created + // CertificateRequest + // resources. Note that the issuer may choose to ignore the + // requested isCA value, just + // like any other requested attribute. + // + // If true, this will automatically add the `cert sign` usage to + // the list + // of requested `usages`. + isCA?: bool + + // Reference to the issuer responsible for issuing the + // certificate. + // If the issuer is namespace-scoped, it must be in the same + // namespace + // as the Certificate. If the issuer is cluster-scoped, it can be + // used + // from any namespace. + // + // The `name` field of the reference must always be specified. + issuerRef!: { + // Group of the resource being referred to. + group?: string + + // Kind of the resource being referred to. + kind?: string + + // Name of the resource being referred to. + name!: string + } + + // Additional keystore output formats to be stored in the + // Certificate's Secret. + keystores?: { + // JKS configures options for storing a JKS keystore in the + // `spec.secretName` Secret resource. + jks?: { + // Alias specifies the alias of the key in the keystore, required + // by the JKS format. + // If not provided, the default alias `certificate` will be used. + alias?: string + + // Create enables JKS keystore creation for the Certificate. + // If true, a file named `keystore.jks` will be created in the + // target + // Secret resource, encrypted using the password stored in + // `passwordSecretRef` or `password`. + // The keystore file will be updated immediately. + // If the issuer provided a CA certificate, a file named + // `truststore.jks` + // will also be created in the target Secret resource, encrypted + // using the + // password stored in `passwordSecretRef` + // containing the issuing Certificate Authority + create!: bool + + // Password provides a literal password used to encrypt the JKS + // keystore. + // Mutually exclusive with passwordSecretRef. + // One of password or passwordSecretRef must provide a password + // with a non-zero length. + password?: string + + // PasswordSecretRef is a reference to a non-empty key in a Secret + // resource + // containing the password used to encrypt the JKS keystore. + // Mutually exclusive with password. + // One of password or passwordSecretRef must provide a password + // with a non-zero length. + passwordSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // PKCS12 configures options for storing a PKCS12 keystore in the + // `spec.secretName` Secret resource. + pkcs12?: { + // Create enables PKCS12 keystore creation for the Certificate. + // If true, a file named `keystore.p12` will be created in the + // target + // Secret resource, encrypted using the password stored in + // `passwordSecretRef` or in `password`. + // The keystore file will be updated immediately. + // If the issuer provided a CA certificate, a file named + // `truststore.p12` will + // also be created in the target Secret resource, encrypted using + // the + // password stored in `passwordSecretRef` containing the issuing + // Certificate + // Authority + create!: bool + + // Password provides a literal password used to encrypt the + // PKCS#12 keystore. + // Mutually exclusive with passwordSecretRef. + // One of password or passwordSecretRef must provide a password + // with a non-zero length. + password?: string + + // PasswordSecretRef is a reference to a non-empty key in a Secret + // resource + // containing the password used to encrypt the PKCS#12 keystore. + // Mutually exclusive with password. + // One of password or passwordSecretRef must provide a password + // with a non-zero length. + passwordSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // Profile specifies the key and certificate encryption algorithms + // and the HMAC algorithm + // used to create the PKCS12 keystore. Default value is + // `LegacyRC2` for backward compatibility. + // + // If provided, allowed values are: + // `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 + // or Java 20. + // `LegacyDES`: Less secure algorithm. Use this option for maximal + // compatibility. + // `Modern2023`: Secure algorithm. Use this option in case you + // have to always use secure algorithms + // (eg. because of company policy). Please note that the security + // of the algorithm is not that important + // in reality, because the unencrypted certificate and private key + // are also stored in the Secret. + profile?: "LegacyRC2" | "LegacyDES" | "Modern2023" + } + } + + // Requested X.509 certificate subject, represented using the LDAP + // "String + // Representation of a Distinguished Name" [1]. + // Important: the LDAP string format also specifies the order of + // the attributes + // in the subject, this is important when issuing certs for LDAP + // authentication. + // Example: `CN=foo,DC=corp,DC=example,DC=com` + // More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 + // More info: + // https://github.com/cert-manager/cert-manager/issues/3203 + // More info: + // https://github.com/cert-manager/cert-manager/issues/4424 + // + // Cannot be set if the `subject` or `commonName` field is set. + literalSubject?: string + + // x.509 certificate NameConstraint extension which MUST NOT be + // used in a non-CA certificate. + // More Info: + // https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 + // + // This is an Alpha Feature and is only enabled with the + // `--feature-gates=NameConstraints=true` option set on both + // the controller and webhook components. + nameConstraints?: { + // if true then the name constraints are marked critical. + critical?: bool + + // Excluded contains the constraints which must be disallowed. Any + // name matching a + // restriction in the excluded field is invalid regardless + // of information appearing in the permitted + excluded?: { + // DNSDomains is a list of DNS domains that are permitted or + // excluded. + dnsDomains?: [...string] + + // EmailAddresses is a list of Email Addresses that are permitted + // or excluded. + emailAddresses?: [...string] + + // IPRanges is a list of IP Ranges that are permitted or excluded. + // This should be a valid CIDR notation. + ipRanges?: [...string] + + // URIDomains is a list of URI domains that are permitted or + // excluded. + uriDomains?: [...string] + } + + // Permitted contains the constraints in which the names must be + // located. + permitted?: { + // DNSDomains is a list of DNS domains that are permitted or + // excluded. + dnsDomains?: [...string] + + // EmailAddresses is a list of Email Addresses that are permitted + // or excluded. + emailAddresses?: [...string] + + // IPRanges is a list of IP Ranges that are permitted or excluded. + // This should be a valid CIDR notation. + ipRanges?: [...string] + + // URIDomains is a list of URI domains that are permitted or + // excluded. + uriDomains?: [...string] + } + } + + // `otherNames` is an escape hatch for SAN that allows any type. + // We currently restrict the support to string like otherNames, + // cf RFC 5280 p 37 + // Any UTF8 String valued otherName can be passed with by setting + // the keys oid: x.x.x.x and UTF8Value: somevalue for + // `otherName`. + // Most commonly this would be UPN set with oid: + // 1.3.6.1.4.1.311.20.2.3 + // You should ensure that any OID passed is valid for the + // UTF8String type as we do not explicitly validate this. + otherNames?: [...{ + // OID is the object identifier for the otherName SAN. + // The object identifier must be expressed as a dotted string, for + // example, "1.2.840.113556.1.4.221". + oid?: string + + // utf8Value is the string value of the otherName SAN. + // The utf8Value accepts any valid UTF8 string to set as value for + // the otherName SAN. + utf8Value?: string + }] + + // Private key options. These include the key algorithm and size, + // the used + // encoding and the rotation policy. + privateKey?: { + // Algorithm is the private key algorithm of the corresponding + // private key + // for this certificate. + // + // If provided, allowed values are either `RSA`, `ECDSA` or + // `Ed25519`. + // If `algorithm` is specified and `size` is not provided, + // key size of 2048 will be used for `RSA` key algorithm and + // key size of 256 will be used for `ECDSA` key algorithm. + // key size is ignored when using the `Ed25519` key algorithm. + algorithm?: "RSA" | "ECDSA" | "Ed25519" + + // The private key cryptography standards (PKCS) encoding for this + // certificate's private key to be encoded in. + // + // If provided, allowed values are `PKCS1` and `PKCS8` standing + // for PKCS#1 + // and PKCS#8, respectively. + // Defaults to `PKCS1` if not specified. + encoding?: "PKCS1" | "PKCS8" + + // RotationPolicy controls how private keys should be regenerated + // when a + // re-issuance is being processed. + // + // If set to `Never`, a private key will only be generated if one + // does not + // already exist in the target `spec.secretName`. If one does + // exist but it + // does not have the correct algorithm or size, a warning will be + // raised + // to await user intervention. + // If set to `Always`, a private key matching the specified + // requirements + // will be generated whenever a re-issuance occurs. + // Default is `Never` for backward compatibility. + rotationPolicy?: "Never" | "Always" + + // Size is the key bit size of the corresponding private key for + // this certificate. + // + // If `algorithm` is set to `RSA`, valid values are `2048`, `4096` + // or `8192`, + // and will default to `2048` if not specified. + // If `algorithm` is set to `ECDSA`, valid values are `256`, `384` + // or `521`, + // and will default to `256` if not specified. + // If `algorithm` is set to `Ed25519`, Size is ignored. + // No other values are allowed. + size?: int + } + + // How long before the currently issued certificate's expiry + // cert-manager should + // renew the certificate. For example, if a certificate is valid + // for 60 minutes, + // and `renewBefore=10m`, cert-manager will begin to attempt to + // renew the certificate + // 50 minutes after it was issued (i.e. when there are 10 minutes + // remaining until + // the certificate is no longer valid). + // + // NOTE: The actual lifetime of the issued certificate is used to + // determine the + // renewal time. If an issuer returns a certificate with a + // different lifetime than + // the one requested, cert-manager will use the lifetime of the + // issued certificate. + // + // If unset, this defaults to 1/3 of the issued certificate's + // lifetime. + // Minimum accepted value is 5 minutes. + // Value must be in units accepted by Go time.ParseDuration + // https://golang.org/pkg/time/#ParseDuration. + // Cannot be set if the `renewBeforePercentage` field is set. + renewBefore?: string + + // `renewBeforePercentage` is like `renewBefore`, except it is a + // relative percentage + // rather than an absolute duration. For example, if a certificate + // is valid for 60 + // minutes, and `renewBeforePercentage=25`, cert-manager will + // begin to attempt to + // renew the certificate 45 minutes after it was issued (i.e. when + // there are 15 + // minutes (25%) remaining until the certificate is no longer + // valid). + // + // NOTE: The actual lifetime of the issued certificate is used to + // determine the + // renewal time. If an issuer returns a certificate with a + // different lifetime than + // the one requested, cert-manager will use the lifetime of the + // issued certificate. + // + // Value must be an integer in the range (0,100). The minimum + // effective + // `renewBefore` derived from the `renewBeforePercentage` and + // `duration` fields is 5 + // minutes. + // Cannot be set if the `renewBefore` field is set. + renewBeforePercentage?: int32 + + // The maximum number of CertificateRequest revisions that are + // maintained in + // the Certificate's history. Each revision represents a single + // `CertificateRequest` + // created by this Certificate, either when it was created, + // renewed, or Spec + // was changed. Revisions will be removed by oldest first if the + // number of + // revisions exceeds this number. + // + // If set, revisionHistoryLimit must be a value of `1` or greater. + // If unset (`nil`), revisions will not be garbage collected. + // Default value is `nil`. + revisionHistoryLimit?: int32 + + // Name of the Secret resource that will be automatically created + // and + // managed by this Certificate resource. It will be populated with + // a + // private key and certificate, signed by the denoted issuer. The + // Secret + // resource lives in the same namespace as the Certificate + // resource. + secretName!: string + + // Defines annotations and labels to be copied to the + // Certificate's Secret. + // Labels and annotations on the Secret will be changed as they + // appear on the + // SecretTemplate when added or removed. SecretTemplate + // annotations are added + // in conjunction with, and cannot overwrite, the base set of + // annotations + // cert-manager sets on the Certificate's Secret. + secretTemplate?: { + // Annotations is a key value map to be copied to the target + // Kubernetes Secret. + annotations?: close({ + [string]: string + }) + + // Labels is a key value map to be copied to the target Kubernetes + // Secret. + labels?: close({ + [string]: string + }) + } + + // Requested set of X509 certificate subject attributes. + // More info: + // https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6 + // + // The common name attribute is specified separately in the + // `commonName` field. + // Cannot be set if the `literalSubject` field is set. + subject?: { + // Countries to be used on the Certificate. + countries?: [...string] + + // Cities to be used on the Certificate. + localities?: [...string] + + // Organizational Units to be used on the Certificate. + organizationalUnits?: [...string] + + // Organizations to be used on the Certificate. + organizations?: [...string] + + // Postal codes to be used on the Certificate. + postalCodes?: [...string] + + // State/Provinces to be used on the Certificate. + provinces?: [...string] + + // Serial number to be used on the Certificate. + serialNumber?: string + + // Street addresses to be used on the Certificate. + streetAddresses?: [...string] + } + + // Requested URI subject alternative names. + uris?: [...string] + + // Requested key usages and extended key usages. + // These usages are used to set the `usages` field on the created + // CertificateRequest + // resources. If `encodeUsagesInRequest` is unset or set to + // `true`, the usages + // will additionally be encoded in the `request` field which + // contains the CSR blob. + // + // If unset, defaults to `digital signature` and `key + // encipherment`. + usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"] +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/certificaterequest/v1/types_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/certificaterequest/v1/types_gen.cue new file mode 100644 index 000000000..b0e298f60 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/certificaterequest/v1/types_gen.cue @@ -0,0 +1,160 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml + +package v1 + +import "strings" + +// A CertificateRequest is used to request a signed certificate +// from one of the +// configured issuers. +// +// All fields within the CertificateRequest's `spec` are immutable +// after creation. +// A CertificateRequest will either succeed or fail, as denoted by +// its `Ready` status +// condition and its `status.failureTime` field. +// +// A CertificateRequest is a one-shot resource, meaning it +// represents a single +// point in time request for a certificate and cannot be re-used. +#CertificateRequest: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "cert-manager.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "CertificateRequest" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Specification of the desired state of the CertificateRequest + // resource. + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + spec!: #CertificateRequestSpec +} + +// Specification of the desired state of the CertificateRequest +// resource. +// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +#CertificateRequestSpec: { + // Requested 'duration' (i.e. lifetime) of the Certificate. Note + // that the + // issuer may choose to ignore the requested duration, just like + // any other + // requested attribute. + duration?: string + + // Extra contains extra attributes of the user that created the + // CertificateRequest. + // Populated by the cert-manager webhook on creation and + // immutable. + extra?: close({ + [string]: [...string] + }) + + // Groups contains group membership of the user that created the + // CertificateRequest. + // Populated by the cert-manager webhook on creation and + // immutable. + groups?: [...string] + + // Requested basic constraints isCA value. Note that the issuer + // may choose + // to ignore the requested isCA value, just like any other + // requested attribute. + // + // NOTE: If the CSR in the `Request` field has a BasicConstraints + // extension, + // it must have the same isCA value as specified here. + // + // If true, this will automatically add the `cert sign` usage to + // the list + // of requested `usages`. + isCA?: bool + + // Reference to the issuer responsible for issuing the + // certificate. + // If the issuer is namespace-scoped, it must be in the same + // namespace + // as the Certificate. If the issuer is cluster-scoped, it can be + // used + // from any namespace. + // + // The `name` field of the reference must always be specified. + issuerRef!: { + // Group of the resource being referred to. + group?: string + + // Kind of the resource being referred to. + kind?: string + + // Name of the resource being referred to. + name!: string + } + + // The PEM-encoded X.509 certificate signing request to be + // submitted to the + // issuer for signing. + // + // If the CSR has a BasicConstraints extension, its isCA attribute + // must + // match the `isCA` value of this CertificateRequest. + // If the CSR has a KeyUsage extension, its key usages must match + // the + // key usages in the `usages` field of this CertificateRequest. + // If the CSR has a ExtKeyUsage extension, its extended key usages + // must match the extended key usages in the `usages` field of + // this + // CertificateRequest. + request!: string + + // UID contains the uid of the user that created the + // CertificateRequest. + // Populated by the cert-manager webhook on creation and + // immutable. + uid?: string + + // Requested key usages and extended key usages. + // + // NOTE: If the CSR in the `Request` field has uses the KeyUsage + // or + // ExtKeyUsage extension, these extensions must have the same + // values + // as specified here without any additional values. + // + // If unset, defaults to `digital signature` and `key + // encipherment`. + usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"] + + // Username contains the name of the user that created the + // CertificateRequest. + // Populated by the cert-manager webhook on creation and + // immutable. + username?: string +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/clusterissuer/v1/types_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/clusterissuer/v1/types_gen.cue new file mode 100644 index 000000000..78f9af66a --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/clusterissuer/v1/types_gen.cue @@ -0,0 +1,3267 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml + +package v1 + +import "strings" + +// A ClusterIssuer represents a certificate issuing authority +// which can be +// referenced as part of `issuerRef` fields. +// It is similar to an Issuer, however it is cluster-scoped and +// therefore can +// be referenced by resources that exist in *any* namespace, not +// just the same +// namespace as the referent. +#ClusterIssuer: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "cert-manager.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "ClusterIssuer" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Desired state of the ClusterIssuer resource. + spec!: #ClusterIssuerSpec +} + +// Desired state of the ClusterIssuer resource. +#ClusterIssuerSpec: { + // ACME configures this issuer to communicate with a RFC8555 + // (ACME) server + // to obtain signed x509 certificates. + acme?: { + // Base64-encoded bundle of PEM CAs which can be used to validate + // the certificate + // chain presented by the ACME server. + // Mutually exclusive with SkipTLSVerify; prefer using CABundle to + // prevent various + // kinds of security vulnerabilities. + // If CABundle and SkipTLSVerify are unset, the system certificate + // bundle inside + // the container is used to validate the TLS connection. + caBundle?: string + + // Enables or disables generating a new ACME account key. + // If true, the Issuer resource will *not* request a new account + // but will expect + // the account key to be supplied via an existing secret. + // If false, the cert-manager system will generate a new ACME + // account key + // for the Issuer. + // Defaults to false. + disableAccountKeyGeneration?: bool + + // Email is the email address to be associated with the ACME + // account. + // This field is optional, but it is strongly recommended to be + // set. + // It will be used to contact you in case of issues with your + // account or + // certificates, including expiry notification emails. + // This field may be updated after the account is initially + // registered. + email?: string + + // Enables requesting a Not After date on certificates that + // matches the + // duration of the certificate. This is not supported by all ACME + // servers + // like Let's Encrypt. If set to true when the ACME server does + // not support + // it, it will create an error on the Order. + // Defaults to false. + enableDurationFeature?: bool + + // ExternalAccountBinding is a reference to a CA external account + // of the ACME + // server. + // If set, upon registration cert-manager will attempt to + // associate the given + // external account credentials with the registered ACME account. + externalAccountBinding?: { + // Deprecated: keyAlgorithm field exists for historical + // compatibility + // reasons and should not be used. The algorithm is now hardcoded + // to HS256 + // in golang/x/crypto/acme. + keyAlgorithm?: "HS256" | "HS384" | "HS512" + + // keyID is the ID of the CA key that the External Account is + // bound to. + keyID!: string + + // keySecretRef is a Secret Key Selector referencing a data item + // in a Kubernetes + // Secret which holds the symmetric MAC key of the External + // Account Binding. + // The `key` is the index string that is paired with the key data + // in the + // Secret and should not be confused with the key data itself, or + // indeed with + // the External Account Binding keyID above. + // The secret key stored in the Secret **must** be un-padded, + // base64 URL + // encoded data. + keySecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // PreferredChain is the chain to use if the ACME server outputs + // multiple. + // PreferredChain is no guarantee that this one gets delivered by + // the ACME + // endpoint. + // For example, for Let's Encrypt's DST crosssign you would use: + // "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt + // root CA. + // This value picks the first certificate bundle in the combined + // set of + // ACME default and alternative chains that has a root-most + // certificate with + // this value as its issuer's commonname. + preferredChain?: strings.MaxRunes(64) + + // PrivateKey is the name of a Kubernetes Secret resource that + // will be used to + // store the automatically generated ACME account private key. + // Optionally, a `key` may be specified to select a specific entry + // within + // the named Secret resource. + // If `key` is not specified, a default of `tls.key` will be used. + privateKeySecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // Server is the URL used to access the ACME server's 'directory' + // endpoint. + // For example, for Let's Encrypt's staging endpoint, you would + // use: + // "https://acme-staging-v02.api.letsencrypt.org/directory". + // Only ACME v2 endpoints (i.e. RFC 8555) are supported. + server!: string + + // INSECURE: Enables or disables validation of the ACME server TLS + // certificate. + // If true, requests to the ACME server will not have the TLS + // certificate chain + // validated. + // Mutually exclusive with CABundle; prefer using CABundle to + // prevent various + // kinds of security vulnerabilities. + // Only enable this option in development environments. + // If CABundle and SkipTLSVerify are unset, the system certificate + // bundle inside + // the container is used to validate the TLS connection. + // Defaults to false. + skipTLSVerify?: bool + + // Solvers is a list of challenge solvers that will be used to + // solve + // ACME challenges for the matching domains. + // Solver configurations must be provided in order to obtain + // certificates + // from an ACME server. + // For more information, see: + // https://cert-manager.io/docs/configuration/acme/ + solvers?: [...{ + // Configures cert-manager to attempt to complete authorizations + // by + // performing the DNS01 challenge flow. + dns01?: { + // Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to + // manage + // DNS01 challenge records. + acmeDNS?: { + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + accountSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + host!: string + } + + // Use the Akamai DNS zone management API to manage DNS01 + // challenge records. + akamai?: { + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + accessTokenSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + clientSecretSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + clientTokenSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + serviceConsumerDomain!: string + } + + // Use the Microsoft Azure DNS API to manage DNS01 challenge + // records. + azureDNS?: { + // Auth: Azure Service Principal: + // The ClientID of the Azure Service Principal used to + // authenticate with Azure DNS. + // If set, ClientSecret and TenantID must also be set. + clientID?: string + + // Auth: Azure Service Principal: + // A reference to a Secret containing the password associated with + // the Service Principal. + // If set, ClientID and TenantID must also be set. + clientSecretSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // name of the Azure environment (default AzurePublicCloud) + environment?: "AzurePublicCloud" | "AzureChinaCloud" | "AzureGermanCloud" | "AzureUSGovernmentCloud" + + // name of the DNS zone that should be used + hostedZoneName?: string + + // Auth: Azure Workload Identity or Azure Managed Service + // Identity: + // Settings to enable Azure Workload Identity or Azure Managed + // Service Identity + // If set, ClientID, ClientSecret and TenantID must not be set. + managedIdentity?: { + // client ID of the managed identity, can not be used at the same + // time as resourceID + clientID?: string + + // resource ID of the managed identity, can not be used at the + // same time as clientID + // Cannot be used for Azure Managed Service Identity + resourceID?: string + + // tenant ID of the managed identity, can not be used at the same + // time as resourceID + tenantID?: string + } + + // resource group the DNS zone is located in + resourceGroupName!: string + + // ID of the Azure subscription + subscriptionID!: string + + // Auth: Azure Service Principal: + // The TenantID of the Azure Service Principal used to + // authenticate with Azure DNS. + // If set, ClientID and ClientSecret must also be set. + tenantID?: string + } + + // Use the Google Cloud DNS API to manage DNS01 challenge records. + cloudDNS?: { + // HostedZoneName is an optional field that tells cert-manager in + // which + // Cloud DNS zone the challenge record has to be created. + // If left empty cert-manager will automatically choose a zone. + hostedZoneName?: string + project!: string + + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + serviceAccountSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // Use the Cloudflare API to manage DNS01 challenge records. + cloudflare?: { + // API key to use to authenticate with Cloudflare. + // Note: using an API token to authenticate is now the recommended + // method + // as it allows greater control of permissions. + apiKeySecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // API token used to authenticate with Cloudflare. + apiTokenSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // Email of the account, only required when using API key based + // authentication. + email?: string + } + + // CNAMEStrategy configures how the DNS01 provider should handle + // CNAME + // records when found in DNS zones. + cnameStrategy?: "None" | "Follow" + digitalocean?: { + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + tokenSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // Use RFC2136 ("Dynamic Updates in the Domain Name System") + // (https://datatracker.ietf.org/doc/rfc2136/) + // to manage DNS01 challenge records. + rfc2136?: { + // The IP address or hostname of an authoritative DNS server + // supporting + // RFC2136 in the form host:port. If the host is an IPv6 address + // it must be + // enclosed in square brackets (e.g [2001:db8::1]) ; port is + // optional. + // This field is required. + nameserver!: string + + // The TSIG Algorithm configured in the DNS supporting RFC2136. + // Used only + // when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. + // Supported values are (case-insensitive): ``HMACMD5`` (default), + // ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. + tsigAlgorithm?: string + + // The TSIG Key name configured in the DNS. + // If ``tsigSecretSecretRef`` is defined, this field is required. + tsigKeyName?: string + + // The name of the secret containing the TSIG value. + // If ``tsigKeyName`` is defined, this field is required. + tsigSecretSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // Use the AWS Route53 API to manage DNS01 challenge records. + route53?: { + // The AccessKeyID is used for authentication. + // Cannot be set when SecretAccessKeyID is set. + // If neither the Access Key nor Key ID are set, we fall-back to + // using env + // vars, shared credentials file or AWS Instance metadata, + // see: + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + accessKeyID?: string + + // The SecretAccessKey is used for authentication. If set, pull + // the AWS + // access key ID from a key within a Kubernetes Secret. + // Cannot be set when AccessKeyID is set. + // If neither the Access Key nor Key ID are set, we fall-back to + // using env + // vars, shared credentials file or AWS Instance metadata, + // see: + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + accessKeyIDSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + auth?: { + kubernetes!: { + // A reference to a service account that will be used to request a + // bound + // token (also known as "projected token"). To use this field, you + // must + // configure an RBAC rule to let cert-manager request a token. + serviceAccountRef!: { + // TokenAudiences is an optional list of audiences to include in + // the + // token passed to AWS. The default token consisting of the + // issuer's namespace + // and name is always included. + // If unset the audience defaults to `sts.amazonaws.com`. + audiences?: [...string] + + // Name of the ServiceAccount used to request a token. + name!: string + } + } + } + + // If set, the provider will manage only this zone in Route53 and + // will not do a lookup using the route53:ListHostedZonesByName + // api call. + hostedZoneID?: string + + // Override the AWS region. + // + // Route53 is a global service and does not have regional + // endpoints but the + // region specified here (or via environment variables) is used as + // a hint to + // help compute the correct AWS credential scope and partition + // when it + // connects to Route53. See: + // - [Amazon Route 53 endpoints and + // quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) + // - [Global + // services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) + // + // If you omit this region field, cert-manager will use the region + // from + // AWS_REGION and AWS_DEFAULT_REGION environment variables, if + // they are set + // in the cert-manager controller Pod. + // + // The `region` field is not needed if you use [IAM Roles for + // Service Accounts + // (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). + // Instead an AWS_REGION environment variable is added to the + // cert-manager controller Pod by: + // [Amazon EKS Pod Identity + // Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). + // In this case this `region` field value is ignored. + // + // The `region` field is not needed if you use [EKS Pod + // Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). + // Instead an AWS_REGION environment variable is added to the + // cert-manager controller Pod by: + // [Amazon EKS Pod Identity + // Agent](https://github.com/aws/eks-pod-identity-agent), + // In this case this `region` field value is ignored. + region?: string + + // Role is a Role ARN which the Route53 provider will assume using + // either the explicit credentials AccessKeyID/SecretAccessKey + // or the inferred credentials from environment variables, shared + // credentials file or AWS Instance metadata + role?: string + + // The SecretAccessKey is used for authentication. + // If neither the Access Key nor Key ID are set, we fall-back to + // using env + // vars, shared credentials file or AWS Instance metadata, + // see: + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + secretAccessKeySecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // Configure an external webhook based DNS01 challenge solver to + // manage + // DNS01 challenge records. + webhook?: { + // Additional configuration that should be passed to the webhook + // apiserver + // when challenges are processed. + // This can contain arbitrary JSON data. + // Secret values should not be specified in this stanza. + // If secret values are needed (e.g. credentials for a DNS + // service), you + // should use a SecretKeySelector to reference a Secret resource. + // For details on the schema of this field, consult the webhook + // provider + // implementation's documentation. + config?: _ + + // The API group name that should be used when POSTing + // ChallengePayload + // resources to the webhook apiserver. + // This should be the same as the GroupName specified in the + // webhook + // provider implementation. + groupName!: string + + // The name of the solver to use, as defined in the webhook + // provider + // implementation. + // This will typically be the name of the provider, e.g. + // 'cloudflare'. + solverName!: string + } + } + + // Configures cert-manager to attempt to complete authorizations + // by + // performing the HTTP01 challenge flow. + // It is not possible to obtain certificates for wildcard domain + // names + // (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + http01?: { + // The Gateway API is a sig-network community API that models + // service networking + // in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway + // solver will + // create HTTPRoutes with the specified labels in the same + // namespace as the challenge. + // This solver is experimental, and fields / behaviour may change + // in the future. + gatewayHTTPRoute?: { + // Custom labels that will be applied to HTTPRoutes created by + // cert-manager + // while solving HTTP-01 challenges. + labels?: close({ + [string]: string + }) + + // When solving an HTTP-01 challenge, cert-manager creates an + // HTTPRoute. + // cert-manager needs to know which parentRefs should be used when + // creating + // the HTTPRoute. Usually, the parentRef references a Gateway. + // See: + // https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways + parentRefs?: [...{ + // Group is the group of the referent. + // When unspecified, "gateway.networking.k8s.io" is inferred. + // To set the core API group (such as for a "Service" kind + // referent), + // Group must be explicitly set to "" (empty string). + // + // Support: Core + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is kind of the referent. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // Support for other resources is Implementation-Specific. + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Gateway" + + // Name is the name of the referent. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. When unspecified, + // this refers + // to the local namespace of the Route. + // + // Note that there are specific rules for ParentRefs which cross + // namespace + // boundaries. Cross-namespace references are only valid if they + // are explicitly + // allowed by something in the namespace they are referring to. + // For example: + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable any other kind of cross-namespace + // reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + // + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port is the network port this Route targets. It can be + // interpreted + // differently based on the type of parent resource. + // + // When the parent resource is a Gateway, this targets all + // listeners + // listening on the specified port that also support this kind of + // Route(and + // select this Route). It's not recommended to set `Port` unless + // the + // networking behaviors specified in a Route must apply to a + // specific port + // as opposed to a listener(s) whose port(s) may be changed. When + // both Port + // and SectionName are specified, the name and port of the + // selected listener + // must match both specified values. + // + // + // When the parent resource is a Service, this targets a specific + // port in the + // Service spec. When both Port (experimental) and SectionName are + // specified, + // the name and port of the selected port must match both + // specified values. + // + // + // Implementations MAY choose to support other parent resources. + // Implementations supporting other types of parent resources MUST + // clearly + // document how/if Port is interpreted. + // + // For the purpose of status, an attachment is considered + // successful as + // long as the parent resource accepts it partially. For example, + // Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment + // from the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, + // the Route MUST be considered detached from the Gateway. + // + // Support: Extended + port?: uint16 & >=1 + + // SectionName is the name of a section within the target + // resource. In the + // following resources, SectionName is interpreted as the + // following: + // + // * Gateway: Listener name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // * Service: Port name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // + // Implementations MAY choose to support attaching Routes to other + // resources. + // If that is the case, they MUST clearly document how SectionName + // is + // interpreted. + // + // When unspecified (empty string), this will reference the entire + // resource. + // For the purpose of status, an attachment is considered + // successful if at + // least one section in the parent resource accepts it. For + // example, Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment from + // the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, the + // Route MUST be considered detached from the Gateway. + // + // Support: Core + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // Optional pod template used to configure the ACME challenge + // solver pods + // used for HTTP01 challenges. + podTemplate?: { + // ObjectMeta overrides for the pod used to solve HTTP01 + // challenges. + // Only the 'labels' and 'annotations' fields may be set. + // If labels or annotations overlap with in-built values, the + // values here + // will override the in-built values. + metadata?: { + // Annotations that should be added to the created ACME HTTP01 + // solver pods. + annotations?: close({ + [string]: string + }) + + // Labels that should be added to the created ACME HTTP01 solver + // pods. + labels?: close({ + [string]: string + }) + } + + // PodSpec defines overrides for the HTTP01 challenge solver pod. + // Check ACMEChallengeSolverHTTP01IngressPodSpec to find out + // currently supported fields. + // All other fields will be ignored. + spec?: { + // If specified, the pod's scheduling constraints + affinity?: { + // Describes node affinity scheduling rules for the pod. + nodeAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node matches the corresponding + // matchExpressions; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // A node selector term, associated with the corresponding weight. + preference!: { + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + } + + // Weight associated with matching the corresponding + // nodeSelectorTerm, in the range 1-100. + weight!: int32 + }] + requiredDuringSchedulingIgnoredDuringExecution?: { + // Required. A list of node selector terms. The terms are ORed. + nodeSelectorTerms!: [...{ + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + }] + } + } + + // Describes pod affinity scheduling rules (e.g. co-locate this + // pod in the same node, zone, etc. as some other pod(s)). + podAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the affinity requirements specified by this field are not + // met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to + // be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + + // Describes pod anti-affinity scheduling rules (e.g. avoid + // putting this pod in the same node, zone, etc. as some other + // pod(s)). + podAntiAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the anti-affinity expressions specified by this field, but it + // may choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling anti-affinity expressions, + // etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the anti-affinity requirements specified by this field are + // not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the anti-affinity requirements specified by this field cease + // to be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + } + + // If specified, the pod's imagePullSecrets + imagePullSecrets?: [...{ + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + }] + + // NodeSelector is a selector which must be true for the pod to + // fit on a node. + // Selector which must match a node's labels for the pod to be + // scheduled on that node. + // More info: + // https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector?: close({ + [string]: string + }) + + // If specified, the pod's priorityClassName. + priorityClassName?: string + + // If specified, the pod's security context + securityContext?: { + // A special supplemental group that applies to all containers in + // a pod. + // Some volume types allow the Kubelet to change the ownership of + // that volume + // to be owned by the pod: + // + // 1. The owning GID will be the FSGroup + // 2. The setgid bit is set (new files created in the volume will + // be owned by FSGroup) + // 3. The permission bits are OR'd with rw-rw---- + // + // If unset, the Kubelet will not modify the ownership and + // permissions of any volume. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroup?: int64 + + // fsGroupChangePolicy defines behavior of changing ownership and + // permission of the volume + // before being exposed inside Pod. This field will only apply to + // volume types which support fsGroup based ownership(and + // permissions). + // It will have no effect on ephemeral volume types such as: + // secret, configmaps + // and emptydir. + // Valid values are "OnRootMismatch" and "Always". If not + // specified, "Always" is used. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroupChangePolicy?: string + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsGroup?: int64 + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to + // ensure that it + // does not run as UID 0 (root) and fail to start the container if + // it does. + // If unset or false, no such validation will be performed. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsNonRoot?: bool + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsUser?: int64 + + // The SELinux context to be applied to all containers. + // If unspecified, the container runtime will allocate a random + // SELinux context for each + // container. May also be set in SecurityContext. If set in + // both SecurityContext and PodSecurityContext, the value + // specified in SecurityContext + // takes precedence for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + seLinuxOptions?: { + // Level is SELinux level label that applies to the container. + level?: string + + // Role is a SELinux role label that applies to the container. + role?: string + + // Type is a SELinux type label that applies to the container. + type?: string + + // User is a SELinux user label that applies to the container. + user?: string + } + + // The seccomp options to use by the containers in this pod. + // Note that this field cannot be set when spec.os.name is + // windows. + seccompProfile?: { + // localhostProfile indicates a profile defined in a file on the + // node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured + // seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any + // other type. + localhostProfile?: string + + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be + // used. + // RuntimeDefault - the container runtime default profile should + // be used. + // Unconfined - no profile should be applied. + type!: string + } + + // A list of groups applied to the first process run in each + // container, in addition + // to the container's primary GID, the fsGroup (if specified), and + // group memberships + // defined in the container image for the uid of the container + // process. If unspecified, + // no additional groups are added to any container. Note that + // group memberships + // defined in the container image for the uid of the container + // process are still effective, + // even if they are not included in this list. + // Note that this field cannot be set when spec.os.name is + // windows. + supplementalGroups?: [...int64 & int] + + // Sysctls hold a list of namespaced sysctls used for the pod. + // Pods with unsupported + // sysctls (by the container runtime) might fail to launch. + // Note that this field cannot be set when spec.os.name is + // windows. + sysctls?: [...{ + // Name of a property to set + name!: string + + // Value of a property to set + value!: string + }] + } + + // If specified, the pod's service account + serviceAccountName?: string + + // If specified, the pod's tolerations. + tolerations?: [...{ + // Effect indicates the taint effect to match. Empty means match + // all taint effects. + // When specified, allowed values are NoSchedule, PreferNoSchedule + // and NoExecute. + effect?: string + + // Key is the taint key that the toleration applies to. Empty + // means match all taint keys. + // If the key is empty, operator must be Exists; this combination + // means to match all values and all keys. + key?: string + + // Operator represents a key's relationship to the value. + // Valid operators are Exists and Equal. Defaults to Equal. + // Exists is equivalent to wildcard for value, so that a pod can + // tolerate all taints of a particular category. + operator?: string + + // TolerationSeconds represents the period of time the toleration + // (which must be + // of effect NoExecute, otherwise this field is ignored) tolerates + // the taint. By default, + // it is not set, which means tolerate the taint forever (do not + // evict). Zero and + // negative values will be treated as 0 (evict immediately) by the + // system. + tolerationSeconds?: int64 + + // Value is the taint value the toleration matches to. + // If the operator is Exists, the value should be empty, otherwise + // just a regular string. + value?: string + }] + } + } + + // Optional service type for Kubernetes solver service. Supported + // values + // are NodePort or ClusterIP. If unset, defaults to NodePort. + serviceType?: string + } + + // The ingress based HTTP01 challenge solver will solve challenges + // by + // creating or modifying Ingress resources in order to route + // requests for + // '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods + // that are + // provisioned by cert-manager for each Challenge to be completed. + ingress?: { + // This field configures the annotation + // `kubernetes.io/ingress.class` when + // creating Ingress resources to solve ACME challenges that use + // this + // challenge solver. Only one of `class`, `name` or + // `ingressClassName` may + // be specified. + class?: string + + // This field configures the field `ingressClassName` on the + // created Ingress + // resources used to solve ACME challenges that use this challenge + // solver. + // This is the recommended way of configuring the ingress class. + // Only one of + // `class`, `name` or `ingressClassName` may be specified. + ingressClassName?: string + ingressTemplate?: { + // ObjectMeta overrides for the ingress used to solve HTTP01 + // challenges. + // Only the 'labels' and 'annotations' fields may be set. + // If labels or annotations overlap with in-built values, the + // values here + // will override the in-built values. + metadata?: { + // Annotations that should be added to the created ACME HTTP01 + // solver ingress. + annotations?: close({ + [string]: string + }) + + // Labels that should be added to the created ACME HTTP01 solver + // ingress. + labels?: close({ + [string]: string + }) + } + } + + // The name of the ingress resource that should have ACME + // challenge solving + // routes inserted into it in order to solve HTTP01 challenges. + // This is typically used in conjunction with ingress controllers + // like + // ingress-gce, which maintains a 1:1 mapping between external IPs + // and + // ingress resources. Only one of `class`, `name` or + // `ingressClassName` may + // be specified. + name?: string + + // Optional pod template used to configure the ACME challenge + // solver pods + // used for HTTP01 challenges. + podTemplate?: { + // ObjectMeta overrides for the pod used to solve HTTP01 + // challenges. + // Only the 'labels' and 'annotations' fields may be set. + // If labels or annotations overlap with in-built values, the + // values here + // will override the in-built values. + metadata?: { + // Annotations that should be added to the created ACME HTTP01 + // solver pods. + annotations?: close({ + [string]: string + }) + + // Labels that should be added to the created ACME HTTP01 solver + // pods. + labels?: close({ + [string]: string + }) + } + + // PodSpec defines overrides for the HTTP01 challenge solver pod. + // Check ACMEChallengeSolverHTTP01IngressPodSpec to find out + // currently supported fields. + // All other fields will be ignored. + spec?: { + // If specified, the pod's scheduling constraints + affinity?: { + // Describes node affinity scheduling rules for the pod. + nodeAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node matches the corresponding + // matchExpressions; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // A node selector term, associated with the corresponding weight. + preference!: { + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + } + + // Weight associated with matching the corresponding + // nodeSelectorTerm, in the range 1-100. + weight!: int32 + }] + requiredDuringSchedulingIgnoredDuringExecution?: { + // Required. A list of node selector terms. The terms are ORed. + nodeSelectorTerms!: [...{ + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + }] + } + } + + // Describes pod affinity scheduling rules (e.g. co-locate this + // pod in the same node, zone, etc. as some other pod(s)). + podAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the affinity requirements specified by this field are not + // met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to + // be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + + // Describes pod anti-affinity scheduling rules (e.g. avoid + // putting this pod in the same node, zone, etc. as some other + // pod(s)). + podAntiAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the anti-affinity expressions specified by this field, but it + // may choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling anti-affinity expressions, + // etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the anti-affinity requirements specified by this field are + // not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the anti-affinity requirements specified by this field cease + // to be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + } + + // If specified, the pod's imagePullSecrets + imagePullSecrets?: [...{ + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + }] + + // NodeSelector is a selector which must be true for the pod to + // fit on a node. + // Selector which must match a node's labels for the pod to be + // scheduled on that node. + // More info: + // https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector?: close({ + [string]: string + }) + + // If specified, the pod's priorityClassName. + priorityClassName?: string + + // If specified, the pod's security context + securityContext?: { + // A special supplemental group that applies to all containers in + // a pod. + // Some volume types allow the Kubelet to change the ownership of + // that volume + // to be owned by the pod: + // + // 1. The owning GID will be the FSGroup + // 2. The setgid bit is set (new files created in the volume will + // be owned by FSGroup) + // 3. The permission bits are OR'd with rw-rw---- + // + // If unset, the Kubelet will not modify the ownership and + // permissions of any volume. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroup?: int64 + + // fsGroupChangePolicy defines behavior of changing ownership and + // permission of the volume + // before being exposed inside Pod. This field will only apply to + // volume types which support fsGroup based ownership(and + // permissions). + // It will have no effect on ephemeral volume types such as: + // secret, configmaps + // and emptydir. + // Valid values are "OnRootMismatch" and "Always". If not + // specified, "Always" is used. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroupChangePolicy?: string + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsGroup?: int64 + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to + // ensure that it + // does not run as UID 0 (root) and fail to start the container if + // it does. + // If unset or false, no such validation will be performed. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsNonRoot?: bool + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsUser?: int64 + + // The SELinux context to be applied to all containers. + // If unspecified, the container runtime will allocate a random + // SELinux context for each + // container. May also be set in SecurityContext. If set in + // both SecurityContext and PodSecurityContext, the value + // specified in SecurityContext + // takes precedence for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + seLinuxOptions?: { + // Level is SELinux level label that applies to the container. + level?: string + + // Role is a SELinux role label that applies to the container. + role?: string + + // Type is a SELinux type label that applies to the container. + type?: string + + // User is a SELinux user label that applies to the container. + user?: string + } + + // The seccomp options to use by the containers in this pod. + // Note that this field cannot be set when spec.os.name is + // windows. + seccompProfile?: { + // localhostProfile indicates a profile defined in a file on the + // node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured + // seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any + // other type. + localhostProfile?: string + + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be + // used. + // RuntimeDefault - the container runtime default profile should + // be used. + // Unconfined - no profile should be applied. + type!: string + } + + // A list of groups applied to the first process run in each + // container, in addition + // to the container's primary GID, the fsGroup (if specified), and + // group memberships + // defined in the container image for the uid of the container + // process. If unspecified, + // no additional groups are added to any container. Note that + // group memberships + // defined in the container image for the uid of the container + // process are still effective, + // even if they are not included in this list. + // Note that this field cannot be set when spec.os.name is + // windows. + supplementalGroups?: [...int64 & int] + + // Sysctls hold a list of namespaced sysctls used for the pod. + // Pods with unsupported + // sysctls (by the container runtime) might fail to launch. + // Note that this field cannot be set when spec.os.name is + // windows. + sysctls?: [...{ + // Name of a property to set + name!: string + + // Value of a property to set + value!: string + }] + } + + // If specified, the pod's service account + serviceAccountName?: string + + // If specified, the pod's tolerations. + tolerations?: [...{ + // Effect indicates the taint effect to match. Empty means match + // all taint effects. + // When specified, allowed values are NoSchedule, PreferNoSchedule + // and NoExecute. + effect?: string + + // Key is the taint key that the toleration applies to. Empty + // means match all taint keys. + // If the key is empty, operator must be Exists; this combination + // means to match all values and all keys. + key?: string + + // Operator represents a key's relationship to the value. + // Valid operators are Exists and Equal. Defaults to Equal. + // Exists is equivalent to wildcard for value, so that a pod can + // tolerate all taints of a particular category. + operator?: string + + // TolerationSeconds represents the period of time the toleration + // (which must be + // of effect NoExecute, otherwise this field is ignored) tolerates + // the taint. By default, + // it is not set, which means tolerate the taint forever (do not + // evict). Zero and + // negative values will be treated as 0 (evict immediately) by the + // system. + tolerationSeconds?: int64 + + // Value is the taint value the toleration matches to. + // If the operator is Exists, the value should be empty, otherwise + // just a regular string. + value?: string + }] + } + } + + // Optional service type for Kubernetes solver service. Supported + // values + // are NodePort or ClusterIP. If unset, defaults to NodePort. + serviceType?: string + } + } + + // Selector selects a set of DNSNames on the Certificate resource + // that + // should be solved using this challenge solver. + // If not specified, the solver will be treated as the 'default' + // solver + // with the lowest priority, i.e. if any other solver has a more + // specific + // match, it will be used instead. + selector?: { + // List of DNSNames that this solver will be used to solve. + // If specified and a match is found, a dnsNames selector will + // take + // precedence over a dnsZones selector. + // If multiple solvers match with the same dnsNames value, the + // solver + // with the most matching labels in matchLabels will be selected. + // If neither has more matches, the solver defined earlier in the + // list + // will be selected. + dnsNames?: [...string] + + // List of DNSZones that this solver will be used to solve. + // The most specific DNS zone match specified here will take + // precedence + // over other DNS zone matches, so a solver specifying + // sys.example.com + // will be selected over one specifying example.com for the domain + // www.sys.example.com. + // If multiple solvers match with the same dnsZones value, the + // solver + // with the most matching labels in matchLabels will be selected. + // If neither has more matches, the solver defined earlier in the + // list + // will be selected. + dnsZones?: [...string] + + // A label selector that is used to refine the set of + // certificate's that + // this challenge solver will apply to. + matchLabels?: close({ + [string]: string + }) + } + }] + } + + // CA configures this issuer to sign certificates using a signing + // CA keypair + // stored in a Secret resource. + // This is used to build internal PKIs that are managed by + // cert-manager. + ca?: { + // The CRL distribution points is an X.509 v3 certificate + // extension which identifies + // the location of the CRL from which the revocation of this + // certificate can be checked. + // If not set, certificates will be issued without distribution + // points set. + crlDistributionPoints?: [...string] + + // IssuingCertificateURLs is a list of URLs which this issuer + // should embed into certificates + // it creates. See + // https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for + // more details. + // As an example, such a URL might be + // "http://ca.domain.com/ca.crt". + issuingCertificateURLs?: [...string] + + // The OCSP server list is an X.509 v3 extension that defines a + // list of + // URLs of OCSP responders. The OCSP responders can be queried for + // the + // revocation status of an issued certificate. If not set, the + // certificate will be issued with no OCSP servers set. For + // example, an + // OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + ocspServers?: [...string] + + // SecretName is the name of the secret used to sign Certificates + // issued + // by this Issuer. + secretName!: string + } + selfSigned?: { + // The CRL distribution points is an X.509 v3 certificate + // extension which identifies + // the location of the CRL from which the revocation of this + // certificate can be checked. + // If not set certificate will be issued without CDP. Values are + // strings. + crlDistributionPoints?: [...string] + } + + // Vault configures this issuer to sign certificates using a + // HashiCorp Vault + // PKI backend. + vault?: { + // Auth configures how cert-manager authenticates with the Vault + // server. + auth!: { + // AppRole authenticates with Vault using the App Role auth + // mechanism, + // with the role and secret stored in a Kubernetes Secret + // resource. + appRole?: { + // Path where the App Role authentication backend is mounted in + // Vault, e.g: + // "approle" + path!: string + + // RoleID configured in the App Role authentication backend when + // setting + // up the authentication backend in Vault. + roleId!: string + + // Reference to a key in a Secret that contains the App Role + // secret used + // to authenticate with Vault. + // The `key` field must be specified and denotes which entry + // within the Secret + // resource is used as the app role secret. + secretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // ClientCertificate authenticates with Vault by presenting a + // client + // certificate during the request's TLS handshake. + // Works only when using HTTPS protocol. + clientCertificate?: { + // The Vault mountPath here is the mount path to use when + // authenticating with + // Vault. For example, setting a value to `/v1/auth/foo`, will use + // the path + // `/v1/auth/foo/login` to authenticate with Vault. If + // unspecified, the + // default value "/v1/auth/cert" will be used. + mountPath?: string + + // Name of the certificate role to authenticate against. + // If not set, matching any certificate role, if available. + name?: string + + // Reference to Kubernetes Secret of type "kubernetes.io/tls" + // (hence containing + // tls.crt and tls.key) used to authenticate to Vault using TLS + // client + // authentication. + secretName?: string + } + + // Kubernetes authenticates with Vault by passing the + // ServiceAccount + // token stored in the named Secret resource to the Vault server. + kubernetes?: { + // The Vault mountPath here is the mount path to use when + // authenticating with + // Vault. For example, setting a value to `/v1/auth/foo`, will use + // the path + // `/v1/auth/foo/login` to authenticate with Vault. If + // unspecified, the + // default value "/v1/auth/kubernetes" will be used. + mountPath?: string + + // A required field containing the Vault Role to assume. A Role + // binds a + // Kubernetes ServiceAccount with a set of Vault policies. + role!: string + + // The required Secret field containing a Kubernetes + // ServiceAccount JWT used + // for authenticating with Vault. Use of 'ambient credentials' is + // not + // supported. + secretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // A reference to a service account that will be used to request a + // bound + // token (also known as "projected token"). Compared to using + // "secretRef", + // using this field means that you don't rely on statically bound + // tokens. To + // use this field, you must configure an RBAC rule to let + // cert-manager + // request a token. + serviceAccountRef?: { + // TokenAudiences is an optional list of extra audiences to + // include in the token passed to Vault. The default token + // consisting of the issuer's namespace and name is always + // included. + audiences?: [...string] + + // Name of the ServiceAccount used to request a token. + name!: string + } + } + + // TokenSecretRef authenticates with Vault by presenting a token. + tokenSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // Base64-encoded bundle of PEM CAs which will be used to validate + // the certificate + // chain presented by Vault. Only used if using HTTPS to connect + // to Vault and + // ignored for HTTP connections. + // Mutually exclusive with CABundleSecretRef. + // If neither CABundle nor CABundleSecretRef are defined, the + // certificate bundle in + // the cert-manager controller container is used to validate the + // TLS connection. + caBundle?: string + + // Reference to a Secret containing a bundle of PEM-encoded CAs to + // use when + // verifying the certificate chain presented by Vault when using + // HTTPS. + // Mutually exclusive with CABundle. + // If neither CABundle nor CABundleSecretRef are defined, the + // certificate bundle in + // the cert-manager controller container is used to validate the + // TLS connection. + // If no key for the Secret is specified, cert-manager will + // default to 'ca.crt'. + caBundleSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // Reference to a Secret containing a PEM-encoded Client + // Certificate to use when the + // Vault server requires mTLS. + clientCertSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // Reference to a Secret containing a PEM-encoded Client Private + // Key to use when the + // Vault server requires mTLS. + clientKeySecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // Name of the vault namespace. Namespaces is a set of features + // within Vault Enterprise that allows Vault environments to + // support Secure Multi-tenancy. e.g: "ns1" + // More about namespaces can be found here + // https://www.vaultproject.io/docs/enterprise/namespaces + namespace?: string + + // Path is the mount path of the Vault PKI backend's `sign` + // endpoint, e.g: + // "my_pki_mount/sign/my-role-name". + path!: string + + // Server is the connection address for the Vault server, e.g: + // "https://vault.example.com:8200". + server!: string + } + + // Venafi configures this issuer to sign certificates using a + // Venafi TPP + // or Venafi Cloud policy zone. + venafi?: { + // Cloud specifies the Venafi cloud configuration settings. + // Only one of TPP or Cloud may be specified. + cloud?: { + // APITokenSecretRef is a secret key selector for the Venafi Cloud + // API token. + apiTokenSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // URL is the base URL for Venafi Cloud. + // Defaults to "https://api.venafi.cloud/v1". + url?: string + } + + // TPP specifies Trust Protection Platform configuration settings. + // Only one of TPP or Cloud may be specified. + tpp?: { + // Base64-encoded bundle of PEM CAs which will be used to validate + // the certificate + // chain presented by the TPP server. Only used if using HTTPS; + // ignored for HTTP. + // If undefined, the certificate bundle in the cert-manager + // controller container + // is used to validate the chain. + caBundle?: string + + // Reference to a Secret containing a base64-encoded bundle of PEM + // CAs + // which will be used to validate the certificate chain presented + // by the TPP server. + // Only used if using HTTPS; ignored for HTTP. Mutually exclusive + // with CABundle. + // If neither CABundle nor CABundleSecretRef is defined, the + // certificate bundle in + // the cert-manager controller container is used to validate the + // TLS connection. + caBundleSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + credentialsRef!: { + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // URL is the base URL for the vedsdk endpoint of the Venafi TPP + // instance, + // for example: "https://tpp.example.com/vedsdk". + url!: string + } + + // Zone is the Venafi Policy Zone to use for this issuer. + // All requests made to the Venafi platform will be restricted by + // the named + // zone policy. + // This field is required. + zone!: string + } +} diff --git a/k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/issuer/v1/types_gen.cue b/k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/issuer/v1/types_gen.cue new file mode 100644 index 000000000..ce9218473 --- /dev/null +++ b/k8s/timoni/codebattle/cue.mod/gen/cert-manager.io/issuer/v1/types_gen.cue @@ -0,0 +1,3265 @@ +// Code generated by timoni. DO NOT EDIT. + +//timoni:generate timoni vendor crd -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.yaml + +package v1 + +import "strings" + +// An Issuer represents a certificate issuing authority which can +// be +// referenced as part of `issuerRef` fields. +// It is scoped to a single namespace and can therefore only be +// referenced by +// resources within the same namespace. +#Issuer: { + // APIVersion defines the versioned schema of this representation + // of an object. + // Servers should convert recognized schemas to the latest + // internal value, and + // may reject unrecognized values. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + apiVersion: "cert-manager.io/v1" + + // Kind is a string value representing the REST resource this + // object represents. + // Servers may infer this from the endpoint the client submits + // requests to. + // Cannot be updated. + // In CamelCase. + // More info: + // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + kind: "Issuer" + metadata!: { + name!: strings.MaxRunes(253) & strings.MinRunes(1) & { + string + } + namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & { + string + } + labels?: { + [string]: string + } + annotations?: { + [string]: string + } + } + + // Desired state of the Issuer resource. + spec!: #IssuerSpec +} + +// Desired state of the Issuer resource. +#IssuerSpec: { + // ACME configures this issuer to communicate with a RFC8555 + // (ACME) server + // to obtain signed x509 certificates. + acme?: { + // Base64-encoded bundle of PEM CAs which can be used to validate + // the certificate + // chain presented by the ACME server. + // Mutually exclusive with SkipTLSVerify; prefer using CABundle to + // prevent various + // kinds of security vulnerabilities. + // If CABundle and SkipTLSVerify are unset, the system certificate + // bundle inside + // the container is used to validate the TLS connection. + caBundle?: string + + // Enables or disables generating a new ACME account key. + // If true, the Issuer resource will *not* request a new account + // but will expect + // the account key to be supplied via an existing secret. + // If false, the cert-manager system will generate a new ACME + // account key + // for the Issuer. + // Defaults to false. + disableAccountKeyGeneration?: bool + + // Email is the email address to be associated with the ACME + // account. + // This field is optional, but it is strongly recommended to be + // set. + // It will be used to contact you in case of issues with your + // account or + // certificates, including expiry notification emails. + // This field may be updated after the account is initially + // registered. + email?: string + + // Enables requesting a Not After date on certificates that + // matches the + // duration of the certificate. This is not supported by all ACME + // servers + // like Let's Encrypt. If set to true when the ACME server does + // not support + // it, it will create an error on the Order. + // Defaults to false. + enableDurationFeature?: bool + + // ExternalAccountBinding is a reference to a CA external account + // of the ACME + // server. + // If set, upon registration cert-manager will attempt to + // associate the given + // external account credentials with the registered ACME account. + externalAccountBinding?: { + // Deprecated: keyAlgorithm field exists for historical + // compatibility + // reasons and should not be used. The algorithm is now hardcoded + // to HS256 + // in golang/x/crypto/acme. + keyAlgorithm?: "HS256" | "HS384" | "HS512" + + // keyID is the ID of the CA key that the External Account is + // bound to. + keyID!: string + + // keySecretRef is a Secret Key Selector referencing a data item + // in a Kubernetes + // Secret which holds the symmetric MAC key of the External + // Account Binding. + // The `key` is the index string that is paired with the key data + // in the + // Secret and should not be confused with the key data itself, or + // indeed with + // the External Account Binding keyID above. + // The secret key stored in the Secret **must** be un-padded, + // base64 URL + // encoded data. + keySecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // PreferredChain is the chain to use if the ACME server outputs + // multiple. + // PreferredChain is no guarantee that this one gets delivered by + // the ACME + // endpoint. + // For example, for Let's Encrypt's DST crosssign you would use: + // "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt + // root CA. + // This value picks the first certificate bundle in the combined + // set of + // ACME default and alternative chains that has a root-most + // certificate with + // this value as its issuer's commonname. + preferredChain?: strings.MaxRunes(64) + + // PrivateKey is the name of a Kubernetes Secret resource that + // will be used to + // store the automatically generated ACME account private key. + // Optionally, a `key` may be specified to select a specific entry + // within + // the named Secret resource. + // If `key` is not specified, a default of `tls.key` will be used. + privateKeySecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // Server is the URL used to access the ACME server's 'directory' + // endpoint. + // For example, for Let's Encrypt's staging endpoint, you would + // use: + // "https://acme-staging-v02.api.letsencrypt.org/directory". + // Only ACME v2 endpoints (i.e. RFC 8555) are supported. + server!: string + + // INSECURE: Enables or disables validation of the ACME server TLS + // certificate. + // If true, requests to the ACME server will not have the TLS + // certificate chain + // validated. + // Mutually exclusive with CABundle; prefer using CABundle to + // prevent various + // kinds of security vulnerabilities. + // Only enable this option in development environments. + // If CABundle and SkipTLSVerify are unset, the system certificate + // bundle inside + // the container is used to validate the TLS connection. + // Defaults to false. + skipTLSVerify?: bool + + // Solvers is a list of challenge solvers that will be used to + // solve + // ACME challenges for the matching domains. + // Solver configurations must be provided in order to obtain + // certificates + // from an ACME server. + // For more information, see: + // https://cert-manager.io/docs/configuration/acme/ + solvers?: [...{ + // Configures cert-manager to attempt to complete authorizations + // by + // performing the DNS01 challenge flow. + dns01?: { + // Use the 'ACME DNS' (https://github.com/joohoi/acme-dns) API to + // manage + // DNS01 challenge records. + acmeDNS?: { + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + accountSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + host!: string + } + + // Use the Akamai DNS zone management API to manage DNS01 + // challenge records. + akamai?: { + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + accessTokenSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + clientSecretSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + clientTokenSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + serviceConsumerDomain!: string + } + + // Use the Microsoft Azure DNS API to manage DNS01 challenge + // records. + azureDNS?: { + // Auth: Azure Service Principal: + // The ClientID of the Azure Service Principal used to + // authenticate with Azure DNS. + // If set, ClientSecret and TenantID must also be set. + clientID?: string + + // Auth: Azure Service Principal: + // A reference to a Secret containing the password associated with + // the Service Principal. + // If set, ClientID and TenantID must also be set. + clientSecretSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // name of the Azure environment (default AzurePublicCloud) + environment?: "AzurePublicCloud" | "AzureChinaCloud" | "AzureGermanCloud" | "AzureUSGovernmentCloud" + + // name of the DNS zone that should be used + hostedZoneName?: string + + // Auth: Azure Workload Identity or Azure Managed Service + // Identity: + // Settings to enable Azure Workload Identity or Azure Managed + // Service Identity + // If set, ClientID, ClientSecret and TenantID must not be set. + managedIdentity?: { + // client ID of the managed identity, can not be used at the same + // time as resourceID + clientID?: string + + // resource ID of the managed identity, can not be used at the + // same time as clientID + // Cannot be used for Azure Managed Service Identity + resourceID?: string + + // tenant ID of the managed identity, can not be used at the same + // time as resourceID + tenantID?: string + } + + // resource group the DNS zone is located in + resourceGroupName!: string + + // ID of the Azure subscription + subscriptionID!: string + + // Auth: Azure Service Principal: + // The TenantID of the Azure Service Principal used to + // authenticate with Azure DNS. + // If set, ClientID and ClientSecret must also be set. + tenantID?: string + } + + // Use the Google Cloud DNS API to manage DNS01 challenge records. + cloudDNS?: { + // HostedZoneName is an optional field that tells cert-manager in + // which + // Cloud DNS zone the challenge record has to be created. + // If left empty cert-manager will automatically choose a zone. + hostedZoneName?: string + project!: string + + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + serviceAccountSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // Use the Cloudflare API to manage DNS01 challenge records. + cloudflare?: { + // API key to use to authenticate with Cloudflare. + // Note: using an API token to authenticate is now the recommended + // method + // as it allows greater control of permissions. + apiKeySecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // API token used to authenticate with Cloudflare. + apiTokenSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // Email of the account, only required when using API key based + // authentication. + email?: string + } + + // CNAMEStrategy configures how the DNS01 provider should handle + // CNAME + // records when found in DNS zones. + cnameStrategy?: "None" | "Follow" + digitalocean?: { + // A reference to a specific 'key' within a Secret resource. + // In some instances, `key` is a required field. + tokenSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // Use RFC2136 ("Dynamic Updates in the Domain Name System") + // (https://datatracker.ietf.org/doc/rfc2136/) + // to manage DNS01 challenge records. + rfc2136?: { + // The IP address or hostname of an authoritative DNS server + // supporting + // RFC2136 in the form host:port. If the host is an IPv6 address + // it must be + // enclosed in square brackets (e.g [2001:db8::1]) ; port is + // optional. + // This field is required. + nameserver!: string + + // The TSIG Algorithm configured in the DNS supporting RFC2136. + // Used only + // when ``tsigSecretSecretRef`` and ``tsigKeyName`` are defined. + // Supported values are (case-insensitive): ``HMACMD5`` (default), + // ``HMACSHA1``, ``HMACSHA256`` or ``HMACSHA512``. + tsigAlgorithm?: string + + // The TSIG Key name configured in the DNS. + // If ``tsigSecretSecretRef`` is defined, this field is required. + tsigKeyName?: string + + // The name of the secret containing the TSIG value. + // If ``tsigKeyName`` is defined, this field is required. + tsigSecretSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // Use the AWS Route53 API to manage DNS01 challenge records. + route53?: { + // The AccessKeyID is used for authentication. + // Cannot be set when SecretAccessKeyID is set. + // If neither the Access Key nor Key ID are set, we fall-back to + // using env + // vars, shared credentials file or AWS Instance metadata, + // see: + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + accessKeyID?: string + + // The SecretAccessKey is used for authentication. If set, pull + // the AWS + // access key ID from a key within a Kubernetes Secret. + // Cannot be set when AccessKeyID is set. + // If neither the Access Key nor Key ID are set, we fall-back to + // using env + // vars, shared credentials file or AWS Instance metadata, + // see: + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + accessKeyIDSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + auth?: { + kubernetes!: { + // A reference to a service account that will be used to request a + // bound + // token (also known as "projected token"). To use this field, you + // must + // configure an RBAC rule to let cert-manager request a token. + serviceAccountRef!: { + // TokenAudiences is an optional list of audiences to include in + // the + // token passed to AWS. The default token consisting of the + // issuer's namespace + // and name is always included. + // If unset the audience defaults to `sts.amazonaws.com`. + audiences?: [...string] + + // Name of the ServiceAccount used to request a token. + name!: string + } + } + } + + // If set, the provider will manage only this zone in Route53 and + // will not do a lookup using the route53:ListHostedZonesByName + // api call. + hostedZoneID?: string + + // Override the AWS region. + // + // Route53 is a global service and does not have regional + // endpoints but the + // region specified here (or via environment variables) is used as + // a hint to + // help compute the correct AWS credential scope and partition + // when it + // connects to Route53. See: + // - [Amazon Route 53 endpoints and + // quotas](https://docs.aws.amazon.com/general/latest/gr/r53.html) + // - [Global + // services](https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html) + // + // If you omit this region field, cert-manager will use the region + // from + // AWS_REGION and AWS_DEFAULT_REGION environment variables, if + // they are set + // in the cert-manager controller Pod. + // + // The `region` field is not needed if you use [IAM Roles for + // Service Accounts + // (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). + // Instead an AWS_REGION environment variable is added to the + // cert-manager controller Pod by: + // [Amazon EKS Pod Identity + // Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook). + // In this case this `region` field value is ignored. + // + // The `region` field is not needed if you use [EKS Pod + // Identities](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html). + // Instead an AWS_REGION environment variable is added to the + // cert-manager controller Pod by: + // [Amazon EKS Pod Identity + // Agent](https://github.com/aws/eks-pod-identity-agent), + // In this case this `region` field value is ignored. + region?: string + + // Role is a Role ARN which the Route53 provider will assume using + // either the explicit credentials AccessKeyID/SecretAccessKey + // or the inferred credentials from environment variables, shared + // credentials file or AWS Instance metadata + role?: string + + // The SecretAccessKey is used for authentication. + // If neither the Access Key nor Key ID are set, we fall-back to + // using env + // vars, shared credentials file or AWS Instance metadata, + // see: + // https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + secretAccessKeySecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // Configure an external webhook based DNS01 challenge solver to + // manage + // DNS01 challenge records. + webhook?: { + // Additional configuration that should be passed to the webhook + // apiserver + // when challenges are processed. + // This can contain arbitrary JSON data. + // Secret values should not be specified in this stanza. + // If secret values are needed (e.g. credentials for a DNS + // service), you + // should use a SecretKeySelector to reference a Secret resource. + // For details on the schema of this field, consult the webhook + // provider + // implementation's documentation. + config?: _ + + // The API group name that should be used when POSTing + // ChallengePayload + // resources to the webhook apiserver. + // This should be the same as the GroupName specified in the + // webhook + // provider implementation. + groupName!: string + + // The name of the solver to use, as defined in the webhook + // provider + // implementation. + // This will typically be the name of the provider, e.g. + // 'cloudflare'. + solverName!: string + } + } + + // Configures cert-manager to attempt to complete authorizations + // by + // performing the HTTP01 challenge flow. + // It is not possible to obtain certificates for wildcard domain + // names + // (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + http01?: { + // The Gateway API is a sig-network community API that models + // service networking + // in Kubernetes (https://gateway-api.sigs.k8s.io/). The Gateway + // solver will + // create HTTPRoutes with the specified labels in the same + // namespace as the challenge. + // This solver is experimental, and fields / behaviour may change + // in the future. + gatewayHTTPRoute?: { + // Custom labels that will be applied to HTTPRoutes created by + // cert-manager + // while solving HTTP-01 challenges. + labels?: close({ + [string]: string + }) + + // When solving an HTTP-01 challenge, cert-manager creates an + // HTTPRoute. + // cert-manager needs to know which parentRefs should be used when + // creating + // the HTTPRoute. Usually, the parentRef references a Gateway. + // See: + // https://gateway-api.sigs.k8s.io/api-types/httproute/#attaching-to-gateways + parentRefs?: [...{ + // Group is the group of the referent. + // When unspecified, "gateway.networking.k8s.io" is inferred. + // To set the core API group (such as for a "Service" kind + // referent), + // Group must be explicitly set to "" (empty string). + // + // Support: Core + group?: strings.MaxRunes(253) & =~"^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" | *"gateway.networking.k8s.io" + + // Kind is kind of the referent. + // + // There are two kinds of parent resources with "Core" support: + // + // * Gateway (Gateway conformance profile) + // * Service (Mesh conformance profile, ClusterIP Services only) + // + // Support for other resources is Implementation-Specific. + kind?: strings.MaxRunes(63) & strings.MinRunes(1) & =~"^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" | *"Gateway" + + // Name is the name of the referent. + // + // Support: Core + name!: strings.MaxRunes(253) & strings.MinRunes(1) + + // Namespace is the namespace of the referent. When unspecified, + // this refers + // to the local namespace of the Route. + // + // Note that there are specific rules for ParentRefs which cross + // namespace + // boundaries. Cross-namespace references are only valid if they + // are explicitly + // allowed by something in the namespace they are referring to. + // For example: + // Gateway has the AllowedRoutes field, and ReferenceGrant + // provides a + // generic way to enable any other kind of cross-namespace + // reference. + // + // + // ParentRefs from a Route to a Service in the same namespace are + // "producer" + // routes, which apply default routing rules to inbound + // connections from + // any namespace to the Service. + // + // ParentRefs from a Route to a Service in a different namespace + // are + // "consumer" routes, and these routing rules are only applied to + // outbound + // connections originating from the same namespace as the Route, + // for which + // the intended destination of the connections are a Service + // targeted as a + // ParentRef of the Route. + // + // + // Support: Core + namespace?: strings.MaxRunes(63) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?$" + } + + // Port is the network port this Route targets. It can be + // interpreted + // differently based on the type of parent resource. + // + // When the parent resource is a Gateway, this targets all + // listeners + // listening on the specified port that also support this kind of + // Route(and + // select this Route). It's not recommended to set `Port` unless + // the + // networking behaviors specified in a Route must apply to a + // specific port + // as opposed to a listener(s) whose port(s) may be changed. When + // both Port + // and SectionName are specified, the name and port of the + // selected listener + // must match both specified values. + // + // + // When the parent resource is a Service, this targets a specific + // port in the + // Service spec. When both Port (experimental) and SectionName are + // specified, + // the name and port of the selected port must match both + // specified values. + // + // + // Implementations MAY choose to support other parent resources. + // Implementations supporting other types of parent resources MUST + // clearly + // document how/if Port is interpreted. + // + // For the purpose of status, an attachment is considered + // successful as + // long as the parent resource accepts it partially. For example, + // Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment + // from the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, + // the Route MUST be considered detached from the Gateway. + // + // Support: Extended + port?: uint16 & >=1 + + // SectionName is the name of a section within the target + // resource. In the + // following resources, SectionName is interpreted as the + // following: + // + // * Gateway: Listener name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // * Service: Port name. When both Port (experimental) and + // SectionName + // are specified, the name and port of the selected listener must + // match + // both specified values. + // + // Implementations MAY choose to support attaching Routes to other + // resources. + // If that is the case, they MUST clearly document how SectionName + // is + // interpreted. + // + // When unspecified (empty string), this will reference the entire + // resource. + // For the purpose of status, an attachment is considered + // successful if at + // least one section in the parent resource accepts it. For + // example, Gateway + // listeners can restrict which Routes can attach to them by Route + // kind, + // namespace, or hostname. If 1 of 2 Gateway listeners accept + // attachment from + // the referencing Route, the Route MUST be considered + // successfully + // attached. If no Gateway listeners accept attachment from this + // Route, the + // Route MUST be considered detached from the Gateway. + // + // Support: Core + sectionName?: strings.MaxRunes(253) & strings.MinRunes(1) & { + =~"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" + } + }] + + // Optional pod template used to configure the ACME challenge + // solver pods + // used for HTTP01 challenges. + podTemplate?: { + // ObjectMeta overrides for the pod used to solve HTTP01 + // challenges. + // Only the 'labels' and 'annotations' fields may be set. + // If labels or annotations overlap with in-built values, the + // values here + // will override the in-built values. + metadata?: { + // Annotations that should be added to the created ACME HTTP01 + // solver pods. + annotations?: close({ + [string]: string + }) + + // Labels that should be added to the created ACME HTTP01 solver + // pods. + labels?: close({ + [string]: string + }) + } + + // PodSpec defines overrides for the HTTP01 challenge solver pod. + // Check ACMEChallengeSolverHTTP01IngressPodSpec to find out + // currently supported fields. + // All other fields will be ignored. + spec?: { + // If specified, the pod's scheduling constraints + affinity?: { + // Describes node affinity scheduling rules for the pod. + nodeAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node matches the corresponding + // matchExpressions; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // A node selector term, associated with the corresponding weight. + preference!: { + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + } + + // Weight associated with matching the corresponding + // nodeSelectorTerm, in the range 1-100. + weight!: int32 + }] + requiredDuringSchedulingIgnoredDuringExecution?: { + // Required. A list of node selector terms. The terms are ORed. + nodeSelectorTerms!: [...{ + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + }] + } + } + + // Describes pod affinity scheduling rules (e.g. co-locate this + // pod in the same node, zone, etc. as some other pod(s)). + podAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the affinity requirements specified by this field are not + // met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to + // be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + + // Describes pod anti-affinity scheduling rules (e.g. avoid + // putting this pod in the same node, zone, etc. as some other + // pod(s)). + podAntiAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the anti-affinity expressions specified by this field, but it + // may choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling anti-affinity expressions, + // etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the anti-affinity requirements specified by this field are + // not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the anti-affinity requirements specified by this field cease + // to be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + } + + // If specified, the pod's imagePullSecrets + imagePullSecrets?: [...{ + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + }] + + // NodeSelector is a selector which must be true for the pod to + // fit on a node. + // Selector which must match a node's labels for the pod to be + // scheduled on that node. + // More info: + // https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector?: close({ + [string]: string + }) + + // If specified, the pod's priorityClassName. + priorityClassName?: string + + // If specified, the pod's security context + securityContext?: { + // A special supplemental group that applies to all containers in + // a pod. + // Some volume types allow the Kubelet to change the ownership of + // that volume + // to be owned by the pod: + // + // 1. The owning GID will be the FSGroup + // 2. The setgid bit is set (new files created in the volume will + // be owned by FSGroup) + // 3. The permission bits are OR'd with rw-rw---- + // + // If unset, the Kubelet will not modify the ownership and + // permissions of any volume. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroup?: int64 + + // fsGroupChangePolicy defines behavior of changing ownership and + // permission of the volume + // before being exposed inside Pod. This field will only apply to + // volume types which support fsGroup based ownership(and + // permissions). + // It will have no effect on ephemeral volume types such as: + // secret, configmaps + // and emptydir. + // Valid values are "OnRootMismatch" and "Always". If not + // specified, "Always" is used. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroupChangePolicy?: string + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsGroup?: int64 + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to + // ensure that it + // does not run as UID 0 (root) and fail to start the container if + // it does. + // If unset or false, no such validation will be performed. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsNonRoot?: bool + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsUser?: int64 + + // The SELinux context to be applied to all containers. + // If unspecified, the container runtime will allocate a random + // SELinux context for each + // container. May also be set in SecurityContext. If set in + // both SecurityContext and PodSecurityContext, the value + // specified in SecurityContext + // takes precedence for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + seLinuxOptions?: { + // Level is SELinux level label that applies to the container. + level?: string + + // Role is a SELinux role label that applies to the container. + role?: string + + // Type is a SELinux type label that applies to the container. + type?: string + + // User is a SELinux user label that applies to the container. + user?: string + } + + // The seccomp options to use by the containers in this pod. + // Note that this field cannot be set when spec.os.name is + // windows. + seccompProfile?: { + // localhostProfile indicates a profile defined in a file on the + // node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured + // seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any + // other type. + localhostProfile?: string + + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be + // used. + // RuntimeDefault - the container runtime default profile should + // be used. + // Unconfined - no profile should be applied. + type!: string + } + + // A list of groups applied to the first process run in each + // container, in addition + // to the container's primary GID, the fsGroup (if specified), and + // group memberships + // defined in the container image for the uid of the container + // process. If unspecified, + // no additional groups are added to any container. Note that + // group memberships + // defined in the container image for the uid of the container + // process are still effective, + // even if they are not included in this list. + // Note that this field cannot be set when spec.os.name is + // windows. + supplementalGroups?: [...int64 & int] + + // Sysctls hold a list of namespaced sysctls used for the pod. + // Pods with unsupported + // sysctls (by the container runtime) might fail to launch. + // Note that this field cannot be set when spec.os.name is + // windows. + sysctls?: [...{ + // Name of a property to set + name!: string + + // Value of a property to set + value!: string + }] + } + + // If specified, the pod's service account + serviceAccountName?: string + + // If specified, the pod's tolerations. + tolerations?: [...{ + // Effect indicates the taint effect to match. Empty means match + // all taint effects. + // When specified, allowed values are NoSchedule, PreferNoSchedule + // and NoExecute. + effect?: string + + // Key is the taint key that the toleration applies to. Empty + // means match all taint keys. + // If the key is empty, operator must be Exists; this combination + // means to match all values and all keys. + key?: string + + // Operator represents a key's relationship to the value. + // Valid operators are Exists and Equal. Defaults to Equal. + // Exists is equivalent to wildcard for value, so that a pod can + // tolerate all taints of a particular category. + operator?: string + + // TolerationSeconds represents the period of time the toleration + // (which must be + // of effect NoExecute, otherwise this field is ignored) tolerates + // the taint. By default, + // it is not set, which means tolerate the taint forever (do not + // evict). Zero and + // negative values will be treated as 0 (evict immediately) by the + // system. + tolerationSeconds?: int64 + + // Value is the taint value the toleration matches to. + // If the operator is Exists, the value should be empty, otherwise + // just a regular string. + value?: string + }] + } + } + + // Optional service type for Kubernetes solver service. Supported + // values + // are NodePort or ClusterIP. If unset, defaults to NodePort. + serviceType?: string + } + + // The ingress based HTTP01 challenge solver will solve challenges + // by + // creating or modifying Ingress resources in order to route + // requests for + // '/.well-known/acme-challenge/XYZ' to 'challenge solver' pods + // that are + // provisioned by cert-manager for each Challenge to be completed. + ingress?: { + // This field configures the annotation + // `kubernetes.io/ingress.class` when + // creating Ingress resources to solve ACME challenges that use + // this + // challenge solver. Only one of `class`, `name` or + // `ingressClassName` may + // be specified. + class?: string + + // This field configures the field `ingressClassName` on the + // created Ingress + // resources used to solve ACME challenges that use this challenge + // solver. + // This is the recommended way of configuring the ingress class. + // Only one of + // `class`, `name` or `ingressClassName` may be specified. + ingressClassName?: string + ingressTemplate?: { + // ObjectMeta overrides for the ingress used to solve HTTP01 + // challenges. + // Only the 'labels' and 'annotations' fields may be set. + // If labels or annotations overlap with in-built values, the + // values here + // will override the in-built values. + metadata?: { + // Annotations that should be added to the created ACME HTTP01 + // solver ingress. + annotations?: close({ + [string]: string + }) + + // Labels that should be added to the created ACME HTTP01 solver + // ingress. + labels?: close({ + [string]: string + }) + } + } + + // The name of the ingress resource that should have ACME + // challenge solving + // routes inserted into it in order to solve HTTP01 challenges. + // This is typically used in conjunction with ingress controllers + // like + // ingress-gce, which maintains a 1:1 mapping between external IPs + // and + // ingress resources. Only one of `class`, `name` or + // `ingressClassName` may + // be specified. + name?: string + + // Optional pod template used to configure the ACME challenge + // solver pods + // used for HTTP01 challenges. + podTemplate?: { + // ObjectMeta overrides for the pod used to solve HTTP01 + // challenges. + // Only the 'labels' and 'annotations' fields may be set. + // If labels or annotations overlap with in-built values, the + // values here + // will override the in-built values. + metadata?: { + // Annotations that should be added to the created ACME HTTP01 + // solver pods. + annotations?: close({ + [string]: string + }) + + // Labels that should be added to the created ACME HTTP01 solver + // pods. + labels?: close({ + [string]: string + }) + } + + // PodSpec defines overrides for the HTTP01 challenge solver pod. + // Check ACMEChallengeSolverHTTP01IngressPodSpec to find out + // currently supported fields. + // All other fields will be ignored. + spec?: { + // If specified, the pod's scheduling constraints + affinity?: { + // Describes node affinity scheduling rules for the pod. + nodeAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node matches the corresponding + // matchExpressions; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // A node selector term, associated with the corresponding weight. + preference!: { + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + } + + // Weight associated with matching the corresponding + // nodeSelectorTerm, in the range 1-100. + weight!: int32 + }] + requiredDuringSchedulingIgnoredDuringExecution?: { + // Required. A list of node selector terms. The terms are ORed. + nodeSelectorTerms!: [...{ + // A list of node selector requirements by node's labels. + matchExpressions?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + + // A list of node selector requirements by node's fields. + matchFields?: [...{ + // The label key that the selector applies to. + key!: string + + // Represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and + // Lt. + operator!: string + + // An array of string values. If the operator is In or NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. If the operator is Gt or Lt, + // the values + // array must have a single element, which will be interpreted as + // an integer. + // This array is replaced during a strategic merge patch. + values?: [...string] + }] + }] + } + } + + // Describes pod affinity scheduling rules (e.g. co-locate this + // pod in the same node, zone, etc. as some other pod(s)). + podAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the affinity expressions specified by this field, but it may + // choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling affinity expressions, etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the affinity requirements specified by this field are not + // met at + // scheduling time, the pod will not be scheduled onto the node. + // If the affinity requirements specified by this field cease to + // be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + + // Describes pod anti-affinity scheduling rules (e.g. avoid + // putting this pod in the same node, zone, etc. as some other + // pod(s)). + podAntiAffinity?: { + // The scheduler will prefer to schedule pods to nodes that + // satisfy + // the anti-affinity expressions specified by this field, but it + // may choose + // a node that violates one or more of the expressions. The node + // that is + // most preferred is the one with the greatest sum of weights, + // i.e. + // for each node that meets all of the scheduling requirements + // (resource + // request, requiredDuringScheduling anti-affinity expressions, + // etc.), + // compute a sum by iterating through the elements of this field + // and adding + // "weight" to the sum if the node has pods which matches the + // corresponding podAffinityTerm; the + // node(s) with the highest sum are the most preferred. + preferredDuringSchedulingIgnoredDuringExecution?: [...{ + // Required. A pod affinity term, associated with the + // corresponding weight. + podAffinityTerm!: { + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + } + + // weight associated with matching the corresponding + // podAffinityTerm, + // in the range 1-100. + weight!: int32 + }] + + // If the anti-affinity requirements specified by this field are + // not met at + // scheduling time, the pod will not be scheduled onto the node. + // If the anti-affinity requirements specified by this field cease + // to be met + // at some point during pod execution (e.g. due to a pod label + // update), the + // system may or may not try to eventually evict the pod from its + // node. + // When there are multiple elements, the lists of nodes + // corresponding to each + // podAffinityTerm are intersected, i.e. all terms must be + // satisfied. + requiredDuringSchedulingIgnoredDuringExecution?: [...{ + // A label query over a set of resources, in this case pods. + // If it's null, this PodAffinityTerm matches with no Pods. + labelSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // MatchLabelKeys is a set of pod label keys to select which pods + // will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key in (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both matchLabelKeys and + // labelSelector. + // Also, matchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + matchLabelKeys?: [...string] + + // MismatchLabelKeys is a set of pod label keys to select which + // pods will + // be taken into consideration. The keys are used to lookup values + // from the + // incoming pod labels, those key-value labels are merged with + // `labelSelector` as `key notin (value)` + // to select the group of existing pods which pods will be taken + // into consideration + // for the incoming pod's pod (anti) affinity. Keys that don't + // exist in the incoming + // pod labels will be ignored. The default value is empty. + // The same key is forbidden to exist in both mismatchLabelKeys + // and labelSelector. + // Also, mismatchLabelKeys cannot be set when labelSelector isn't + // set. + // This is a beta field and requires enabling + // MatchLabelKeysInPodAffinity feature gate (enabled by default). + mismatchLabelKeys?: [...string] + + // A label query over the set of namespaces that the term applies + // to. + // The term is applied to the union of the namespaces selected by + // this field + // and the ones listed in the namespaces field. + // null selector and null or empty namespaces list means "this + // pod's namespace". + // An empty selector ({}) matches all namespaces. + namespaceSelector?: { + // matchExpressions is a list of label selector requirements. The + // requirements are ANDed. + matchExpressions?: [...{ + // key is the label key that the selector applies to. + key!: string + + // operator represents a key's relationship to a set of values. + // Valid operators are In, NotIn, Exists and DoesNotExist. + operator!: string + + // values is an array of string values. If the operator is In or + // NotIn, + // the values array must be non-empty. If the operator is Exists + // or DoesNotExist, + // the values array must be empty. This array is replaced during a + // strategic + // merge patch. + values?: [...string] + }] + + // matchLabels is a map of {key,value} pairs. A single {key,value} + // in the matchLabels + // map is equivalent to an element of matchExpressions, whose key + // field is "key", the + // operator is "In", and the values array contains only "value". + // The requirements are ANDed. + matchLabels?: close({ + [string]: string + }) + } + + // namespaces specifies a static list of namespace names that the + // term applies to. + // The term is applied to the union of the namespaces listed in + // this field + // and the ones selected by namespaceSelector. + // null or empty namespaces list and null namespaceSelector means + // "this pod's namespace". + namespaces?: [...string] + + // This pod should be co-located (affinity) or not co-located + // (anti-affinity) with the pods matching + // the labelSelector in the specified namespaces, where co-located + // is defined as running on a node + // whose value of the label with key topologyKey matches that of + // any node on which any of the + // selected pods is running. + // Empty topologyKey is not allowed. + topologyKey!: string + }] + } + } + + // If specified, the pod's imagePullSecrets + imagePullSecrets?: [...{ + // Name of the referent. + // This field is effectively required, but due to backwards + // compatibility is + // allowed to be empty. Instances of this type with an empty value + // here are + // almost certainly wrong. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name?: string | *"" + }] + + // NodeSelector is a selector which must be true for the pod to + // fit on a node. + // Selector which must match a node's labels for the pod to be + // scheduled on that node. + // More info: + // https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + nodeSelector?: close({ + [string]: string + }) + + // If specified, the pod's priorityClassName. + priorityClassName?: string + + // If specified, the pod's security context + securityContext?: { + // A special supplemental group that applies to all containers in + // a pod. + // Some volume types allow the Kubelet to change the ownership of + // that volume + // to be owned by the pod: + // + // 1. The owning GID will be the FSGroup + // 2. The setgid bit is set (new files created in the volume will + // be owned by FSGroup) + // 3. The permission bits are OR'd with rw-rw---- + // + // If unset, the Kubelet will not modify the ownership and + // permissions of any volume. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroup?: int64 + + // fsGroupChangePolicy defines behavior of changing ownership and + // permission of the volume + // before being exposed inside Pod. This field will only apply to + // volume types which support fsGroup based ownership(and + // permissions). + // It will have no effect on ephemeral volume types such as: + // secret, configmaps + // and emptydir. + // Valid values are "OnRootMismatch" and "Always". If not + // specified, "Always" is used. + // Note that this field cannot be set when spec.os.name is + // windows. + fsGroupChangePolicy?: string + + // The GID to run the entrypoint of the container process. + // Uses runtime default if unset. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsGroup?: int64 + + // Indicates that the container must run as a non-root user. + // If true, the Kubelet will validate the image at runtime to + // ensure that it + // does not run as UID 0 (root) and fail to start the container if + // it does. + // If unset or false, no such validation will be performed. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence. + runAsNonRoot?: bool + + // The UID to run the entrypoint of the container process. + // Defaults to user specified in image metadata if unspecified. + // May also be set in SecurityContext. If set in both + // SecurityContext and + // PodSecurityContext, the value specified in SecurityContext + // takes precedence + // for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + runAsUser?: int64 + + // The SELinux context to be applied to all containers. + // If unspecified, the container runtime will allocate a random + // SELinux context for each + // container. May also be set in SecurityContext. If set in + // both SecurityContext and PodSecurityContext, the value + // specified in SecurityContext + // takes precedence for that container. + // Note that this field cannot be set when spec.os.name is + // windows. + seLinuxOptions?: { + // Level is SELinux level label that applies to the container. + level?: string + + // Role is a SELinux role label that applies to the container. + role?: string + + // Type is a SELinux type label that applies to the container. + type?: string + + // User is a SELinux user label that applies to the container. + user?: string + } + + // The seccomp options to use by the containers in this pod. + // Note that this field cannot be set when spec.os.name is + // windows. + seccompProfile?: { + // localhostProfile indicates a profile defined in a file on the + // node should be used. + // The profile must be preconfigured on the node to work. + // Must be a descending path, relative to the kubelet's configured + // seccomp profile location. + // Must be set if type is "Localhost". Must NOT be set for any + // other type. + localhostProfile?: string + + // type indicates which kind of seccomp profile will be applied. + // Valid options are: + // + // Localhost - a profile defined in a file on the node should be + // used. + // RuntimeDefault - the container runtime default profile should + // be used. + // Unconfined - no profile should be applied. + type!: string + } + + // A list of groups applied to the first process run in each + // container, in addition + // to the container's primary GID, the fsGroup (if specified), and + // group memberships + // defined in the container image for the uid of the container + // process. If unspecified, + // no additional groups are added to any container. Note that + // group memberships + // defined in the container image for the uid of the container + // process are still effective, + // even if they are not included in this list. + // Note that this field cannot be set when spec.os.name is + // windows. + supplementalGroups?: [...int64 & int] + + // Sysctls hold a list of namespaced sysctls used for the pod. + // Pods with unsupported + // sysctls (by the container runtime) might fail to launch. + // Note that this field cannot be set when spec.os.name is + // windows. + sysctls?: [...{ + // Name of a property to set + name!: string + + // Value of a property to set + value!: string + }] + } + + // If specified, the pod's service account + serviceAccountName?: string + + // If specified, the pod's tolerations. + tolerations?: [...{ + // Effect indicates the taint effect to match. Empty means match + // all taint effects. + // When specified, allowed values are NoSchedule, PreferNoSchedule + // and NoExecute. + effect?: string + + // Key is the taint key that the toleration applies to. Empty + // means match all taint keys. + // If the key is empty, operator must be Exists; this combination + // means to match all values and all keys. + key?: string + + // Operator represents a key's relationship to the value. + // Valid operators are Exists and Equal. Defaults to Equal. + // Exists is equivalent to wildcard for value, so that a pod can + // tolerate all taints of a particular category. + operator?: string + + // TolerationSeconds represents the period of time the toleration + // (which must be + // of effect NoExecute, otherwise this field is ignored) tolerates + // the taint. By default, + // it is not set, which means tolerate the taint forever (do not + // evict). Zero and + // negative values will be treated as 0 (evict immediately) by the + // system. + tolerationSeconds?: int64 + + // Value is the taint value the toleration matches to. + // If the operator is Exists, the value should be empty, otherwise + // just a regular string. + value?: string + }] + } + } + + // Optional service type for Kubernetes solver service. Supported + // values + // are NodePort or ClusterIP. If unset, defaults to NodePort. + serviceType?: string + } + } + + // Selector selects a set of DNSNames on the Certificate resource + // that + // should be solved using this challenge solver. + // If not specified, the solver will be treated as the 'default' + // solver + // with the lowest priority, i.e. if any other solver has a more + // specific + // match, it will be used instead. + selector?: { + // List of DNSNames that this solver will be used to solve. + // If specified and a match is found, a dnsNames selector will + // take + // precedence over a dnsZones selector. + // If multiple solvers match with the same dnsNames value, the + // solver + // with the most matching labels in matchLabels will be selected. + // If neither has more matches, the solver defined earlier in the + // list + // will be selected. + dnsNames?: [...string] + + // List of DNSZones that this solver will be used to solve. + // The most specific DNS zone match specified here will take + // precedence + // over other DNS zone matches, so a solver specifying + // sys.example.com + // will be selected over one specifying example.com for the domain + // www.sys.example.com. + // If multiple solvers match with the same dnsZones value, the + // solver + // with the most matching labels in matchLabels will be selected. + // If neither has more matches, the solver defined earlier in the + // list + // will be selected. + dnsZones?: [...string] + + // A label selector that is used to refine the set of + // certificate's that + // this challenge solver will apply to. + matchLabels?: close({ + [string]: string + }) + } + }] + } + + // CA configures this issuer to sign certificates using a signing + // CA keypair + // stored in a Secret resource. + // This is used to build internal PKIs that are managed by + // cert-manager. + ca?: { + // The CRL distribution points is an X.509 v3 certificate + // extension which identifies + // the location of the CRL from which the revocation of this + // certificate can be checked. + // If not set, certificates will be issued without distribution + // points set. + crlDistributionPoints?: [...string] + + // IssuingCertificateURLs is a list of URLs which this issuer + // should embed into certificates + // it creates. See + // https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for + // more details. + // As an example, such a URL might be + // "http://ca.domain.com/ca.crt". + issuingCertificateURLs?: [...string] + + // The OCSP server list is an X.509 v3 extension that defines a + // list of + // URLs of OCSP responders. The OCSP responders can be queried for + // the + // revocation status of an issued certificate. If not set, the + // certificate will be issued with no OCSP servers set. For + // example, an + // OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". + ocspServers?: [...string] + + // SecretName is the name of the secret used to sign Certificates + // issued + // by this Issuer. + secretName!: string + } + selfSigned?: { + // The CRL distribution points is an X.509 v3 certificate + // extension which identifies + // the location of the CRL from which the revocation of this + // certificate can be checked. + // If not set certificate will be issued without CDP. Values are + // strings. + crlDistributionPoints?: [...string] + } + + // Vault configures this issuer to sign certificates using a + // HashiCorp Vault + // PKI backend. + vault?: { + // Auth configures how cert-manager authenticates with the Vault + // server. + auth!: { + // AppRole authenticates with Vault using the App Role auth + // mechanism, + // with the role and secret stored in a Kubernetes Secret + // resource. + appRole?: { + // Path where the App Role authentication backend is mounted in + // Vault, e.g: + // "approle" + path!: string + + // RoleID configured in the App Role authentication backend when + // setting + // up the authentication backend in Vault. + roleId!: string + + // Reference to a key in a Secret that contains the App Role + // secret used + // to authenticate with Vault. + // The `key` field must be specified and denotes which entry + // within the Secret + // resource is used as the app role secret. + secretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // ClientCertificate authenticates with Vault by presenting a + // client + // certificate during the request's TLS handshake. + // Works only when using HTTPS protocol. + clientCertificate?: { + // The Vault mountPath here is the mount path to use when + // authenticating with + // Vault. For example, setting a value to `/v1/auth/foo`, will use + // the path + // `/v1/auth/foo/login` to authenticate with Vault. If + // unspecified, the + // default value "/v1/auth/cert" will be used. + mountPath?: string + + // Name of the certificate role to authenticate against. + // If not set, matching any certificate role, if available. + name?: string + + // Reference to Kubernetes Secret of type "kubernetes.io/tls" + // (hence containing + // tls.crt and tls.key) used to authenticate to Vault using TLS + // client + // authentication. + secretName?: string + } + + // Kubernetes authenticates with Vault by passing the + // ServiceAccount + // token stored in the named Secret resource to the Vault server. + kubernetes?: { + // The Vault mountPath here is the mount path to use when + // authenticating with + // Vault. For example, setting a value to `/v1/auth/foo`, will use + // the path + // `/v1/auth/foo/login` to authenticate with Vault. If + // unspecified, the + // default value "/v1/auth/kubernetes" will be used. + mountPath?: string + + // A required field containing the Vault Role to assume. A Role + // binds a + // Kubernetes ServiceAccount with a set of Vault policies. + role!: string + + // The required Secret field containing a Kubernetes + // ServiceAccount JWT used + // for authenticating with Vault. Use of 'ambient credentials' is + // not + // supported. + secretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // A reference to a service account that will be used to request a + // bound + // token (also known as "projected token"). Compared to using + // "secretRef", + // using this field means that you don't rely on statically bound + // tokens. To + // use this field, you must configure an RBAC rule to let + // cert-manager + // request a token. + serviceAccountRef?: { + // TokenAudiences is an optional list of extra audiences to + // include in the token passed to Vault. The default token + // consisting of the issuer's namespace and name is always + // included. + audiences?: [...string] + + // Name of the ServiceAccount used to request a token. + name!: string + } + } + + // TokenSecretRef authenticates with Vault by presenting a token. + tokenSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + } + + // Base64-encoded bundle of PEM CAs which will be used to validate + // the certificate + // chain presented by Vault. Only used if using HTTPS to connect + // to Vault and + // ignored for HTTP connections. + // Mutually exclusive with CABundleSecretRef. + // If neither CABundle nor CABundleSecretRef are defined, the + // certificate bundle in + // the cert-manager controller container is used to validate the + // TLS connection. + caBundle?: string + + // Reference to a Secret containing a bundle of PEM-encoded CAs to + // use when + // verifying the certificate chain presented by Vault when using + // HTTPS. + // Mutually exclusive with CABundle. + // If neither CABundle nor CABundleSecretRef are defined, the + // certificate bundle in + // the cert-manager controller container is used to validate the + // TLS connection. + // If no key for the Secret is specified, cert-manager will + // default to 'ca.crt'. + caBundleSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // Reference to a Secret containing a PEM-encoded Client + // Certificate to use when the + // Vault server requires mTLS. + clientCertSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // Reference to a Secret containing a PEM-encoded Client Private + // Key to use when the + // Vault server requires mTLS. + clientKeySecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // Name of the vault namespace. Namespaces is a set of features + // within Vault Enterprise that allows Vault environments to + // support Secure Multi-tenancy. e.g: "ns1" + // More about namespaces can be found here + // https://www.vaultproject.io/docs/enterprise/namespaces + namespace?: string + + // Path is the mount path of the Vault PKI backend's `sign` + // endpoint, e.g: + // "my_pki_mount/sign/my-role-name". + path!: string + + // Server is the connection address for the Vault server, e.g: + // "https://vault.example.com:8200". + server!: string + } + + // Venafi configures this issuer to sign certificates using a + // Venafi TPP + // or Venafi Cloud policy zone. + venafi?: { + // Cloud specifies the Venafi cloud configuration settings. + // Only one of TPP or Cloud may be specified. + cloud?: { + // APITokenSecretRef is a secret key selector for the Venafi Cloud + // API token. + apiTokenSecretRef!: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // URL is the base URL for Venafi Cloud. + // Defaults to "https://api.venafi.cloud/v1". + url?: string + } + + // TPP specifies Trust Protection Platform configuration settings. + // Only one of TPP or Cloud may be specified. + tpp?: { + // Base64-encoded bundle of PEM CAs which will be used to validate + // the certificate + // chain presented by the TPP server. Only used if using HTTPS; + // ignored for HTTP. + // If undefined, the certificate bundle in the cert-manager + // controller container + // is used to validate the chain. + caBundle?: string + + // Reference to a Secret containing a base64-encoded bundle of PEM + // CAs + // which will be used to validate the certificate chain presented + // by the TPP server. + // Only used if using HTTPS; ignored for HTTP. Mutually exclusive + // with CABundle. + // If neither CABundle nor CABundleSecretRef is defined, the + // certificate bundle in + // the cert-manager controller container is used to validate the + // TLS connection. + caBundleSecretRef?: { + // The key of the entry in the Secret resource's `data` field to + // be used. + // Some instances of this field may be defaulted, in others it may + // be + // required. + key?: string + + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + credentialsRef!: { + // Name of the resource being referred to. + // More info: + // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + name!: string + } + + // URL is the base URL for the vedsdk endpoint of the Venafi TPP + // instance, + // for example: "https://tpp.example.com/vedsdk". + url!: string + } + + // Zone is the Venafi Policy Zone to use for this issuer. + // All requests made to the Venafi platform will be restricted by + // the named + // zone policy. + // This field is required. + zone!: string + } +} diff --git a/k8s/timoni/codebattle/templates/config.cue b/k8s/timoni/codebattle/templates/config.cue index d008249c1..574f8da49 100644 --- a/k8s/timoni/codebattle/templates/config.cue +++ b/k8s/timoni/codebattle/templates/config.cue @@ -66,10 +66,12 @@ import ( } gateway: { - enable: *false | bool + enable: certManager.enable & (*false | bool) gatewayName: string host: *"codebattle.hexlet.io" | string } + + certManager: enable: *false | bool } // Instance takes the config values and outputs the Kubernetes objects. @@ -85,5 +87,8 @@ import ( if config.gateway.enable { gateway: #HTTPRoute & {#config: config} } + if config.certManager.enable { + issuer: #Issuer & {#config: config} + } } } diff --git a/k8s/timoni/codebattle/templates/httproute.cue b/k8s/timoni/codebattle/templates/httproute.cue index b59a2b6b5..f8e22c184 100644 --- a/k8s/timoni/codebattle/templates/httproute.cue +++ b/k8s/timoni/codebattle/templates/httproute.cue @@ -11,9 +11,9 @@ import ( metadata: #config.metadata spec: { parentRefs: [{ - name: #config.gateway.gatewayName + name: #config.gateway.gatewayName + sectionName: "https" }] - hostnames: [#config.gateway.host] rules: [{ matches: [{ path: { diff --git a/k8s/timoni/codebattle/templates/issuer.cue b/k8s/timoni/codebattle/templates/issuer.cue new file mode 100644 index 000000000..1729a750b --- /dev/null +++ b/k8s/timoni/codebattle/templates/issuer.cue @@ -0,0 +1,25 @@ +package templates + +import ( + issuerv1 "cert-manager.io/issuer/v1" +) + +#Issuer: issuerv1.#Issuer & { + #config: #Config + apiVersion: "cert-manager.io/v1" + kind: "Issuer" + metadata: #config.metadata + spec: { + acme: { + server: "https://acme-v02.api.letsencrypt.org/directory" + privateKeySecretRef: name: "\(metadata.name)-letsencrypt" + solvers: [{ + http01: gatewayHTTPRoute: { + parentRefs: [{ + name: #config.gateway.gatewayName + }] + } + }] + } + } +} diff --git a/k8s/timoni/gateway/templates/config.cue b/k8s/timoni/gateway/templates/config.cue index 2e2b34be1..56cbabafc 100644 --- a/k8s/timoni/gateway/templates/config.cue +++ b/k8s/timoni/gateway/templates/config.cue @@ -21,5 +21,6 @@ import ( objects: { gatewayclass: #GatewayClass & {#config: config} gateway: #Gateway & {#config: config} + httproute: #HTTPRoute & {#config: config} } } diff --git a/k8s/timoni/gateway/templates/gateway.cue b/k8s/timoni/gateway/templates/gateway.cue index ed17ad798..5edae25bf 100644 --- a/k8s/timoni/gateway/templates/gateway.cue +++ b/k8s/timoni/gateway/templates/gateway.cue @@ -9,18 +9,21 @@ import ( apiVersion: "gateway.networking.k8s.io/v1" kind: "Gateway" metadata: #config.metadata + metadata: annotations: "cert-manager.io/issuer": "codebattle" spec: { gatewayClassName: metadata.name listeners: [{ - name: "tls" + name: "http" + port: 80 + protocol: "HTTP" + }, { + name: "https" port: 443 protocol: "HTTPS" tls: { mode: "Terminate" certificateRefs: [{ - group: "" - kind: "Secret" - name: metadata.name + name: metadata.name }] } }] diff --git a/k8s/timoni/gateway/templates/httproute.cue b/k8s/timoni/gateway/templates/httproute.cue new file mode 100644 index 000000000..5cc3d8f93 --- /dev/null +++ b/k8s/timoni/gateway/templates/httproute.cue @@ -0,0 +1,24 @@ +package templates + +import ( + gatewayv1 "gateway.networking.k8s.io/httproute/v1" +) + +#HTTPRoute: gatewayv1.#HTTPRoute & { + #config: #Config + apiVersion: "gateway.networking.k8s.io/v1" + kind: "HTTPRoute" + metadata: #config.metadata + spec: { + parentRefs: [{ + name: metadata.name + sectionName: "http" + }] + rules: [{ + filters: [{ + type: "RequestRedirect" + requestRedirect: scheme: "https" + }] + }] + } +} diff --git a/k8s/timoni/kustomize-oci/templates/kustomization.cue b/k8s/timoni/kustomize-oci/templates/kustomization.cue index d3a1badf7..5ce7db165 100644 --- a/k8s/timoni/kustomize-oci/templates/kustomization.cue +++ b/k8s/timoni/kustomize-oci/templates/kustomization.cue @@ -32,6 +32,9 @@ import ( if #config.dependsOn != _|_ { dependsOn: #config.dependsOn } - patches: [for p in #config.patches {patch: yaml.Marshal(p)}] + patches: [for p in #config.patches { + patch: yaml.Marshal(p.patch) + target: p.target + }] } } diff --git a/k8s/timoni/values.cue b/k8s/timoni/values.cue index 26914b03c..e76c6767d 100644 --- a/k8s/timoni/values.cue +++ b/k8s/timoni/values.cue @@ -3,4 +3,5 @@ codebattleValues: { enable: true gatewayName: "gateway" } + certManager: enable: true }