diff --git a/content/docs/cli/cainjector.md b/content/docs/cli/cainjector.md
index fc8c598ad4c..dbbb17fd862 100644
--- a/content/docs/cli/cainjector.md
+++ b/content/docs/cli/cainjector.md
@@ -15,28 +15,37 @@ Usage:
cainjector [flags]
Flags:
- --config string Path to a file containing a CAInjectorConfiguration object used to configure the controller
- --enable-apiservices-injectable Inject CA data to annotated APIServices. This functionality is not required if cainjector is only used as cert-manager's internal component and setting it to false might reduce memory consumption (default true)
- --enable-certificates-data-source Enable configuring cert-manager.io Certificate resources as potential sources for CA data. Requires cert-manager.io Certificate CRD to be installed. This data source can be disabled to reduce memory consumption if you only use cainjector as part of cert-manager's installation (default true)
- --enable-customresourcedefinitions-injectable Inject CA data to annotated CustomResourceDefinitions. This functionality is not required if cainjecor is only used as cert-manager's internal component and setting it to false might slightly reduce memory consumption (default true)
- --enable-mutatingwebhookconfigurations-injectable Inject CA data to annotated MutatingWebhookConfigurations. This functionality is required for cainjector to work correctly as cert-manager's internal component (default true)
- --enable-profiling Enable profiling for controller.
- --enable-validatingwebhookconfigurations-injectable Inject CA data to annotated ValidatingWebhookConfigurations. This functionality is required for cainjector to correctly function as cert-manager's internal component (default true)
- --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
- AllAlpha=true|false (ALPHA - default=false)
- AllBeta=true|false (BETA - default=false)
- ServerSideApply=true|false (ALPHA - default=false)
- -h, --help help for cainjector
- --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster.
- --leader-elect If true, cainjector will perform leader election between instances to ensure no more than one instance of cainjector operates at a time (default true)
- --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s)
- --leader-election-namespace string Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system")
- --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s)
- --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s)
- --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s)
- --logging-format string Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text")
- --namespace string If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace.
- --profiler-address string The host and port that Go profiler should listen on, i.e localhost:6060. Ensure that profiler is not exposed on a public address. Profiler will be served at /debug/pprof. (default "localhost:6060")
- -v, --v Level number for the log level verbosity
- --vmodule pattern=N,... comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
+ --config string Path to a file containing a CAInjectorConfiguration object used to configure the controller
+ --enable-apiservices-injectable Inject CA data to annotated APIServices. This functionality is not required if cainjector is only used as cert-manager's internal component and setting it to false might reduce memory consumption (default true)
+ --enable-certificates-data-source Enable configuring cert-manager.io Certificate resources as potential sources for CA data. Requires cert-manager.io Certificate CRD to be installed. This data source can be disabled to reduce memory consumption if you only use cainjector as part of cert-manager's installation (default true)
+ --enable-customresourcedefinitions-injectable Inject CA data to annotated CustomResourceDefinitions. This functionality is not required if cainjecor is only used as cert-manager's internal component and setting it to false might slightly reduce memory consumption (default true)
+ --enable-mutatingwebhookconfigurations-injectable Inject CA data to annotated MutatingWebhookConfigurations. This functionality is required for cainjector to work correctly as cert-manager's internal component (default true)
+ --enable-profiling Enable profiling for controller.
+ --enable-validatingwebhookconfigurations-injectable Inject CA data to annotated ValidatingWebhookConfigurations. This functionality is required for cainjector to correctly function as cert-manager's internal component (default true)
+ --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
+ AllAlpha=true|false (ALPHA - default=false)
+ AllBeta=true|false (BETA - default=false)
+ ServerSideApply=true|false (ALPHA - default=false)
+ -h, --help help for cainjector
+ --kubeconfig string Paths to a kubeconfig. Only required if out-of-cluster.
+ --leader-elect If true, cainjector will perform leader election between instances to ensure no more than one instance of cainjector operates at a time (default true)
+ --leader-election-lease-duration duration The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. (default 1m0s)
+ --leader-election-namespace string Namespace used to perform leader election. Only used if leader election is enabled (default "kube-system")
+ --leader-election-renew-deadline duration The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. (default 40s)
+ --leader-election-retry-period duration The duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. (default 15s)
+ --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s)
+ --logging-format string Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text")
+ --metrics-dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates
+ --metrics-dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs metrics serving certificates
+ --metrics-dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the metrics dynamic serving CA
+ --metrics-dynamic-serving-leaf-duration duration leaf duration of metrics serving certificates (default 168h0m0s)
+ --metrics-listen-address string The host and port that the metrics endpoint should listen on. The value '0' disables the metrics server (default "0.0.0.0:9402")
+ --metrics-tls-cert-file string path to the file containing the TLS certificate to serve metrics with
+ --metrics-tls-cipher-suites strings Comma-separated list of cipher suites for the metrics server. If omitted, the default Go cipher suites will be used. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
+ --metrics-tls-min-version string Minimum TLS version supported by the metrics server. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
+ --metrics-tls-private-key-file string path to the file containing the TLS private key to serve metrics with
+ --namespace string If set, this limits the scope of cainjector to a single namespace. If set, cainjector will not update resources with certificates outside of the configured namespace.
+ --profiler-address string The host and port that Go profiler should listen on, i.e localhost:6060. Ensure that profiler is not exposed on a public address. Profiler will be served at /debug/pprof. (default "localhost:6060")
+ -v, --v Level number for the log level verbosity
+ --vmodule pattern=N,... comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
```
diff --git a/content/docs/cli/controller.md b/content/docs/cli/controller.md
index 343cff2f13c..7943f2833fe 100644
--- a/content/docs/cli/controller.md
+++ b/content/docs/cli/controller.md
@@ -21,7 +21,7 @@ Flags:
--acme-http01-solver-resource-request-cpu string Defines the resource request CPU size when spawning new ACME HTTP01 challenge solver pods. (default "10m")
--acme-http01-solver-resource-request-memory string Defines the resource request Memory size when spawning new ACME HTTP01 challenge solver pods. (default "64Mi")
--acme-http01-solver-run-as-non-root Defines the ability to run the http01 solver as root for troubleshooting issues (default true)
- --auto-certificate-annotations strings The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate (default [kubernetes.io/tls-acme])
+ --auto-certificate-annotations strings The annotation consumed by the ingress-shim controller to indicate an ingress is requesting a certificate (default [kubernetes.io/tls-acme])
--cluster-issuer-ambient-credentials Whether a cluster-issuer may make use of ambient credentials for issuers. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the ClusterIssuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata. (default true)
--cluster-resource-namespace string Namespace to store resources owned by cluster scoped resources such as ClusterIssuer in. This must be specified if ClusterIssuers are enabled. (default "kube-system")
--concurrent-workers int The number of concurrent workers for each controller. (default 5)
@@ -51,6 +51,7 @@ Flags:
ServerSideApply=true|false (ALPHA - default=false)
StableCertificateRequestName=true|false (BETA - default=true)
UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
+ UseDomainQualifiedFinalizer=true|false (ALPHA - default=false)
ValidateCAA=true|false (ALPHA - default=false)
-h, --help help for controller
--issuer-ambient-credentials Whether an issuer may make use of ambient credentials. 'Ambient Credentials' are credentials drawn from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object. When this flag is enabled, the following sources for credentials are also used: AWS - All sources the Go SDK defaults to, notably including any EC2 IAM roles available via instance metadata.
diff --git a/content/docs/cli/webhook.md b/content/docs/cli/webhook.md
index 64b4d08e932..b4ef77b6313 100644
--- a/content/docs/cli/webhook.md
+++ b/content/docs/cli/webhook.md
@@ -14,31 +14,40 @@ Usage:
webhook [flags]
Flags:
- --api-server-host string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted.
- --config string Path to a file containing a WebhookConfiguration object used to configure the webhook
- --dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates
- --dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs serving certificates
- --dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the dynamic serving CA
- --dynamic-serving-leaf-duration duration leaf duration of serving certificates (default 168h0m0s)
- --enable-profiling Enable profiling for webhook.
- --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
- AdditionalCertificateOutputFormats=true|false (BETA - default=true)
- AllAlpha=true|false (ALPHA - default=false)
- AllBeta=true|false (BETA - default=false)
- LiteralCertificateSubject=true|false (BETA - default=true)
- NameConstraints=true|false (ALPHA - default=false)
- OtherNames=true|false (ALPHA - default=false)
- --healthz-port int32 port number to listen on for insecure healthz connections (default 6080)
- -h, --help help for webhook
- --kubeconfig string optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used
- --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s)
- --logging-format string Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text")
- --profiler-address string Address of the Go profiler (pprof). This should never be exposed on a public interface. If this flag is not set, the profiler is not run. (default "localhost:6060")
- --secure-port int32 port number to listen on for secure TLS connections (default 6443)
- --tls-cert-file string path to the file containing the TLS certificate to serve with
- --tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
- --tls-min-version string Minimum TLS version supported. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
- --tls-private-key-file string path to the file containing the TLS private key to serve with
- -v, --v Level number for the log level verbosity
- --vmodule pattern=N,... comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
+ --api-server-host string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted.
+ --config string Path to a file containing a WebhookConfiguration object used to configure the webhook
+ --dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates
+ --dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs serving certificates
+ --dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the dynamic serving CA
+ --dynamic-serving-leaf-duration duration leaf duration of serving certificates (default 168h0m0s)
+ --enable-profiling Enable profiling for webhook.
+ --feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
+ AdditionalCertificateOutputFormats=true|false (BETA - default=true)
+ AllAlpha=true|false (ALPHA - default=false)
+ AllBeta=true|false (BETA - default=false)
+ LiteralCertificateSubject=true|false (BETA - default=true)
+ NameConstraints=true|false (ALPHA - default=false)
+ OtherNames=true|false (ALPHA - default=false)
+ --healthz-port int32 port number to listen on for insecure healthz connections (default 6080)
+ -h, --help help for webhook
+ --kubeconfig string optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used
+ --log-flush-frequency duration Maximum number of seconds between log flushes (default 5s)
+ --logging-format string Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text")
+ --metrics-dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates
+ --metrics-dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs metrics serving certificates
+ --metrics-dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the metrics dynamic serving CA
+ --metrics-dynamic-serving-leaf-duration duration leaf duration of metrics serving certificates (default 168h0m0s)
+ --metrics-listen-address string The host and port that the metrics endpoint should listen on. The value '0' disables the metrics server (default "0.0.0.0:9402")
+ --metrics-tls-cert-file string path to the file containing the TLS certificate to serve metrics with
+ --metrics-tls-cipher-suites strings Comma-separated list of cipher suites for the metrics server. If omitted, the default Go cipher suites will be used. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
+ --metrics-tls-min-version string Minimum TLS version supported by the metrics server. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
+ --metrics-tls-private-key-file string path to the file containing the TLS private key to serve metrics with
+ --profiler-address string Address of the Go profiler (pprof). This should never be exposed on a public interface. If this flag is not set, the profiler is not run. (default "localhost:6060")
+ --secure-port int32 port number to listen on for secure TLS connections (default 6443)
+ --tls-cert-file string path to the file containing the TLS certificate to serve with
+ --tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
+ --tls-min-version string Minimum TLS version supported. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
+ --tls-private-key-file string path to the file containing the TLS private key to serve with
+ -v, --v Level number for the log level verbosity
+ --vmodule pattern=N,... comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
```
diff --git a/content/docs/reference/api-docs.md b/content/docs/reference/api-docs.md
index eb030dfcc2a..e9e7eddb1d0 100644
--- a/content/docs/reference/api-docs.md
+++ b/content/docs/reference/api-docs.md
@@ -765,6 +765,19 @@ description: >-
+
+
+ podTemplate
+
+
+ ACMEChallengeSolverHTTP01IngressPodTemplate
+
+ |
+
+ (Optional)
+ Optional pod template used to configure the ACME challenge solver pods used for HTTP01 challenges.
+ |
+
ACMEChallengeSolverHTTP01Ingress
@@ -906,7 +919,7 @@ description: >-
(Optional)
- Annotations that should be added to the create ACME HTTP01 solver pods.
+ Annotations that should be added to the created ACME HTTP01 solver pods.
|
@@ -922,6 +935,132 @@ description: >-
+ACMEChallengeSolverHTTP01IngressPodSecurityContext
+ (Appears on: ACMEChallengeSolverHTTP01IngressPodSpec)
+
+
+
+
+ | Field |
+ Description |
+
+
+
+
+
+ seLinuxOptions
+
+
+ Kubernetes core/v1.SELinuxOptions
+
+ |
+
+ (Optional)
+ The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
+ |
+
+
+
+ runAsUser
+
+ int64
+ |
+
+ (Optional)
+ The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
+ |
+
+
+
+ runAsGroup
+
+ int64
+ |
+
+ (Optional)
+ The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.
+ |
+
+
+
+ runAsNonRoot
+
+ bool
+ |
+
+ (Optional)
+ Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
+ |
+
+
+
+ supplementalGroups
+
+ []int64
+ |
+
+ (Optional)
+ A list of groups applied to the first process run in each container, in addition to the container’s primary GID, the fsGroup (if specified), and group memberships defined in the container image for the uid of the container process. If unspecified, no additional groups are added to any container. Note that group memberships defined in the container image for the uid of the container process are still effective, even if they are not included in this list. Note that this field cannot be set when spec.os.name is windows.
+ |
+
+
+
+ fsGroup
+
+ int64
+ |
+
+ (Optional)
+ A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod:
+
+ - The owning GID will be the FSGroup
+ - The setgid bit is set (new files created in the volume will be owned by FSGroup)
+ - The permission bits are OR’d with rw-rw—-
+
+ If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.
+ |
+
+
+
+ sysctls
+
+
+ []Kubernetes core/v1.Sysctl
+
+ |
+
+ (Optional)
+ Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.
+ |
+
+
+
+ fsGroupChangePolicy
+
+
+ Kubernetes core/v1.PodFSGroupChangePolicy
+
+ |
+
+ (Optional)
+ fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are “OnRootMismatch” and “Always”. If not specified, “Always” is used. Note that this field cannot be set when spec.os.name is windows.
+ |
+
+
+
+ seccompProfile
+
+
+ Kubernetes core/v1.SeccompProfile
+
+ |
+
+ (Optional)
+ The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows.
+ |
+
+
+
ACMEChallengeSolverHTTP01IngressPodSpec
(Appears on: ACMEChallengeSolverHTTP01IngressPodTemplate)
@@ -1005,10 +1144,23 @@ description: >-
If specified, the pod’s imagePullSecrets
+
+
+ securityContext
+
+
+ ACMEChallengeSolverHTTP01IngressPodSecurityContext
+
+ |
+
+ (Optional)
+ If specified, the pod’s security context
+ |
+
ACMEChallengeSolverHTTP01IngressPodTemplate
- (Appears on: ACMEChallengeSolverHTTP01Ingress)
+ (Appears on: ACMEChallengeSolverHTTP01GatewayHTTPRoute, ACMEChallengeSolverHTTP01Ingress)
@@ -1816,7 +1981,7 @@ description: >-
(Optional)
- If set, the provider will manage only this zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName api call.
+ If set, the provider will manage only this zone in Route53 and will not do a lookup using the route53:ListHostedZonesByName api call.
|
@@ -1826,7 +1991,12 @@ description: >-
string
|
- Always set the region when using AccessKeyID and SecretAccessKey
+ (Optional)
+ Override the AWS region.
+ Route53 is a global service and does not have regional endpoints but the region specified here (or via environment variables) is used as a hint to help compute the correct AWS credential scope and partition when it connects to Route53. See: - Amazon Route 53 endpoints and quotas- Global services
+ If you omit this region field, cert-manager will use the region from AWS_REGION and AWS_DEFAULT_REGION environment variables, if they are set in the cert-manager controller Pod.
+ The region field is not needed if you use IAM Roles for Service Accounts (IRSA). Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: Amazon EKS Pod Identity Webhook. In this case this region field value is ignored.
+ The region field is not needed if you use EKS Pod Identities. Instead an AWS_REGION environment variable is added to the cert-manager controller Pod by: Amazon EKS Pod Identity Agent, In this case this region field value is ignored.
|
@@ -2563,7 +2733,7 @@ description: >-
"invalid"
- Invalid signifies that an ACME resource is invalid for some reason. If an Order is marked ‘invalid’, one of its validations be have invalid for some reason. This is a final state.
+ Invalid signifies that an ACME resource is invalid for some reason. If an Order is marked ‘invalid’, one of its validations must be invalid for some reason. This is a final state.
|
@@ -2723,6 +2893,26 @@ description: >-
featureGates is a map of feature names to bools that enable or disable experimental features.
+
+
+ metricsListenAddress
+
+ string
+ |
+
+ The host and port that the metrics endpoint should listen on. The value “0” disables the metrics server. Defaults to ‘0.0.0.0:9402’.
+ |
+
+
+
+ metricsTLSConfig
+
+ github.com/cert-manager/cert-manager/pkg/apis/config/shared/v1alpha1.TLSConfig
+ |
+
+ metricsTLSConfig is used to configure the metrics server TLS settings.
+ |
+
EnableDataSourceConfig
@@ -2743,7 +2933,7 @@ description: >-
bool
- Certificates detemines whether cainjector’s control loops will watch cert-manager Certificate resources as potential sources of CA data. If not set, defaults to true.
+ Certificates determines whether cainjector’s control loops will watch cert-manager Certificate resources as potential sources of CA data. If not set, defaults to true.
|
@@ -2950,7 +3140,23 @@ description: >-
(Optional)
How long before the currently issued certificate’s expiry cert-manager should renew the certificate. For example, if a certificate is valid for 60 minutes, and renewBefore=10m, cert-manager will begin to attempt to renew the certificate 50 minutes after it was issued (i.e. when there are 10 minutes remaining until the certificate is no longer valid).
NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate.
- If unset, this defaults to 1⁄3 of the issued certificate’s lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+ If unset, this defaults to 1⁄3 of the issued certificate’s lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. Cannot be set if the renewBeforePercentage field is set.
+
+
+
+
+ renewBeforePercentage
+
+ int32
+ |
+
+ (Optional)
+ renewBeforePercentage is like renewBefore, except it is a relative percentage rather than an absolute duration. For example, if a certificate is valid for 60 minutes, and renewBeforePercentage=25, cert-manager will begin to attempt to renew the certificate 45 minutes after it was issued (i.e. when there are 15 minutes (25%) remaining until the certificate is no longer valid).
+ NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate.
+
+ Value must be an integer in the range (0,100). The minimum effective
+ renewBefore derived from the renewBeforePercentage and duration fields is 5 minutes. Cannot be set if the renewBefore field is set.
+
|
@@ -3632,7 +3838,7 @@ description: >-
CertificateCondition
(Appears on: CertificateStatus)
-
CertificateCondition contains condition information for an Certificate.
+
CertificateCondition contains condition information for a Certificate.
@@ -3717,7 +3923,7 @@ description: >-
CertificateConditionType (string alias)
(Appears on: CertificateCondition)
-
CertificateConditionType represents an Certificate condition value.
+
CertificateConditionType represents a Certificate condition value.
@@ -3857,7 +4063,7 @@ description: >-
|
(Optional)
RotationPolicy controls how private keys should be regenerated when a re-issuance is being processed.
- If set to Never, a private key will only be generated if one does not already exist in the target spec.secretName. If one does exists but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is Never for backward compatibility.
+ If set to Never, a private key will only be generated if one does not already exist in the target spec.secretName. If one does exist but it does not have the correct algorithm or size, a warning will be raised to await user intervention. If set to Always, a private key matching the specified requirements will be generated whenever a re-issuance occurs. Default is Never for backward compatibility.
|
@@ -3979,7 +4185,7 @@ description: >-
CertificateRequestConditionType (string alias)
(Appears on: CertificateRequestCondition)
-
CertificateRequestConditionType represents an Certificate condition value.
+
CertificateRequestConditionType represents a Certificate condition value.
@@ -4336,7 +4542,23 @@ description: >-
(Optional)
How long before the currently issued certificate’s expiry cert-manager should renew the certificate. For example, if a certificate is valid for 60 minutes, and renewBefore=10m, cert-manager will begin to attempt to renew the certificate 50 minutes after it was issued (i.e. when there are 10 minutes remaining until the certificate is no longer valid).
NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate.
- If unset, this defaults to 1⁄3 of the issued certificate’s lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
+ If unset, this defaults to 1⁄3 of the issued certificate’s lifetime. Minimum accepted value is 5 minutes. Value must be in units accepted by Go time.ParseDuration https://golang.org/pkg/time/#ParseDuration. Cannot be set if the renewBeforePercentage field is set.
+
+
+
+
+ renewBeforePercentage
+
+ int32
+ |
+
+ (Optional)
+ renewBeforePercentage is like renewBefore, except it is a relative percentage rather than an absolute duration. For example, if a certificate is valid for 60 minutes, and renewBeforePercentage=25, cert-manager will begin to attempt to renew the certificate 45 minutes after it was issued (i.e. when there are 15 minutes (25%) remaining until the certificate is no longer valid).
+ NOTE: The actual lifetime of the issued certificate is used to determine the renewal time. If an issuer returns a certificate with a different lifetime than the one requested, cert-manager will use the lifetime of the issued certificate.
+
+ Value must be an integer in the range (0,100). The minimum effective
+ renewBefore derived from the renewBeforePercentage and duration fields is 5 minutes. Cannot be set if the renewBefore field is set.
+
|
@@ -4583,7 +4805,7 @@ description: >-
|
(Optional)
- LastFailureTime is set only if the lastest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset.
+ LastFailureTime is set only if the latest issuance for this Certificate failed and contains the time of the failure. If an issuance has failed, the delay till the next issuance will be calculated using formula time.Hour * 2 ^ (failedIssuanceAttempts - 1). If the latest issuance has succeeded this field will be unset.
|
@@ -5558,7 +5780,7 @@ description: >-
VaultAuth
(Appears on: VaultIssuer)
-
VaultAuth is configuration used to authenticate with a Vault server. The order of precedence is [tokenSecretRef, appRole or kubernetes].
+
VaultAuth is configuration used to authenticate with a Vault server. The order of precedence is [tokenSecretRef, appRole, clientCertificate or kubernetes].
@@ -5594,6 +5816,19 @@ description: >-
AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
+
+
+ clientCertificate
+
+
+ VaultClientCertificateAuth
+
+ |
+
+ (Optional)
+ ClientCertificate authenticates with Vault by presenting a client certificate during the request’s TLS handshake. Works only when using HTTPS protocol.
+ |
+
kubernetes
@@ -5609,6 +5844,54 @@ description: >-
|
+VaultClientCertificateAuth
+ (Appears on: VaultAuth)
+
+
VaultKubernetesAuth is used to authenticate against Vault using a client certificate stored in a Secret.
+
+
+
+ | Field |
+ Description |
+
+
+
+
+
+ mountPath
+
+ string
+ |
+
+ (Optional)
+ The Vault mountPath here is the mount path to use when authenticating with Vault. For example, setting a value to /v1/auth/foo, will use the path /v1/auth/foo/login to authenticate with Vault. If unspecified, the default value “/v1/auth/cert” will be used.
+ |
+
+
+
+ secretName
+
+ string
+ |
+
+ (Optional)
+ Reference to Kubernetes Secret of type “kubernetes.io/tls” (hence containing tls.crt and tls.key) used to authenticate to Vault using TLS client authentication.
+ |
+
+
+
+ name
+
+ string
+ |
+
+ (Optional)
+ Name of the certificate role to authenticate against. If not set, matching any certificate role, if available.
+ |
+
+
+
VaultIssuer
(Appears on: IssuerConfig)
@@ -5900,7 +6183,7 @@ description: >-
- CredentialsRef is a reference to a Secret containing the username and password for the TPP server. The secret must contain two keys, ‘username’ and ‘password’.
+ CredentialsRef is a reference to a Secret containing the Venafi TPP API credentials. The secret must contain the key ‘access-token’ for the Access Token Authentication, or two keys, ‘username’ and ‘password’ for the API Keys Authentication.
|
@@ -5914,6 +6197,19 @@ description: >-
Base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. If undefined, the certificate bundle in the cert-manager controller container is used to validate the chain.
+
+
+ caBundleSecretRef
+
+
+ SecretKeySelector
+
+ |
+
+ (Optional)
+ Reference to a Secret containing a base64-encoded bundle of PEM CAs which will be used to validate the certificate chain presented by the TPP server. Only used if using HTTPS; ignored for HTTP. Mutually exclusive with CABundle. If neither CABundle nor CABundleSecretRef is defined, the certificate bundle in the cert-manager controller container is used to validate the TLS connection.
+ |
+
X509Subject
@@ -6209,7 +6505,7 @@ description: >-
string
- If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched”
+ If set, this limits the scope of cert-manager to a single namespace and ClusterIssuers are disabled. If not specified, all namespaces will be watched
|
@@ -6291,7 +6587,7 @@ description: >-
[]string
|
- Specify which annotations should/shouldn’t be copied from Certificate to CertificateRequest and Order, as well as from CertificateSigningRequest to Order, by passing a list of annotation key prefixes. A prefix starting with a dash(-) specifies an annotation that shouldn’t be copied. Example: ‘*,-kubectl.kuberenetes.io/’- all annotations will be copied apart from the ones where the key is prefixed with ‘kubectl.kubernetes.io/’.
+ Specify which annotations should/shouldn’t be copied from Certificate to CertificateRequest and Order, as well as from CertificateSigningRequest to Order, by passing a list of annotation key prefixes. A prefix starting with a dash(-) specifies an annotation that shouldn’t be copied. Example: ‘*,-kubectl.kubernetes.io/’- all annotations will be copied apart from the ones where the key is prefixed with ‘kubectl.kubernetes.io/’.
|
@@ -6474,7 +6770,7 @@ description: >-
[]string
|
- The annotation consumed by the ingress-shim controller to indicate a ingress is requesting a certificate
+ The annotation consumed by the ingress-shim controller to indicate an ingress is requesting a certificate
|
@@ -6633,7 +6929,7 @@ description: >-
(Appears on: ACMEExternalAccountBinding, ACMEIssuer, ACMEIssuerDNS01ProviderAcmeDNS, ACMEIssuerDNS01ProviderAkamai, ACMEIssuerDNS01ProviderAzureDNS, ACMEIssuerDNS01ProviderCloudDNS, ACMEIssuerDNS01ProviderCloudflare, ACMEIssuerDNS01ProviderDigitalOcean, ACMEIssuerDNS01ProviderRFC2136,
- ACMEIssuerDNS01ProviderRoute53, JKSKeystore, PKCS12Keystore, VaultAppRole, VaultAuth, VaultIssuer, VaultKubernetesAuth, VenafiCloud)
+ ACMEIssuerDNS01ProviderRoute53, JKSKeystore, PKCS12Keystore, VaultAppRole, VaultAuth, VaultIssuer, VaultKubernetesAuth, VenafiCloud, VenafiTPP)
A reference to a specific ‘key’ within a Secret resource. In some instances, key is a required field.
@@ -6783,9 +7079,29 @@ description: >-
featureGates is a map of feature names to bools that enable or disable experimental features.
+
+
+ metricsListenAddress
+
+ string
+ |
+
+ The host and port that the metrics endpoint should listen on. The value “0” disables the metrics server. Defaults to ‘0.0.0.0:9402’.
+ |
+
+
+
+ metricsTLSConfig
+
+ github.com/cert-manager/cert-manager/pkg/apis/config/shared/v1alpha1.TLSConfig
+ |
+
+ metricsTLSConfig is used to configure the metrics server TLS settings.
+ |
+
- Generated with gen-crd-api-reference-docs on git commit 35e27b7.
+ Generated with gen-crd-api-reference-docs on git commit 67c897d.